Security Experts:

Google Says NSO Pegasus Zero-Click 'Most Technically Sophisticated Exploit Ever Seen'

Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations.

If that makes you scratch your head, that was exactly the reaction from Google’s premier security research team after disassembling the so-called FORCEDENTRY iMessage zero-click exploit used to plant NSO Group’s Pegasus surveillance tool on iPhones.

“We assess this to be one of the most technically sophisticated exploits we've ever seen,” Google’s Ian Beer and Samuel Groß wrote in a technical deep-dive into the remote code execution exploit that was captured during an in-the-wild attack on an activist in Saudi Arabia.

Google said it received a sample of the exploit from Citizen Lab and collaborated with Cupertino’s usually secretive Security Engineering and Architecture (SEAR) group on a technical analysis that discovered a head-scratching array of technical sophistication in an exploit platform sold to governments around the world.

The researchers said the sophistication of the exploit is confirmation that hackers at the Israel-based NSO Group have technical expertise and resources to rival those previously thought to be accessible to only a handful of nation states.

[ READ: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation ]

Apple shipped a patched for the FORCEDENTRY zero-day (CVE-2021-30860) in September this year after Citizen Lab documented an iOS zero-click exploit for iMessage that bypassed Apple’s ‘BlastDoor’ sandbox to plant the Pegasus spyware on iPhones.  Citizen Lab said the FORCEDENTRY exploit was used to plant the Pegasus malware on the iPhones of nine Bahrani human rights activists between June 2020 and February 2021.

In its breakdown, Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.

The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices.  By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants.

Because iMessage has native support for GIF images (especially those that loop endlessly), Project Zero’s researchers found that this expanded the attack surface and ended up being abused in an exploit cocktail that targeted a security defect  in Apple’s CoreGraphics PDF parser.

[ READ: New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox ]

Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white.

Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit.

"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does," the researchers explained.

"Using over 70,000 segment commands defining logical bit operations, [NSO’s hackers] define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent."

"The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying,” the Google researchers added.

Following the documented Pegasus attacks, Apple filed a lawsuit seeking to hold NSO Group accountable for the ongoing surveillance hacks that target iOS-powered devices.

The U.S. government has since added NSO Group to its “entity list,” a move that blocks American companies from doing business with the Israeli spyware vendor.

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: US Puts New Controls on Israeli Spyware Company NSO Group

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Related: Apple Confirms New Zero-Day Attacks on Older iPhones

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.