Google has described how the surveillance firm NSO Group created an exploit that would allow the user of their software to acquire entry to an iPhone and install malware – and all without the victim ever clicking on a link.
The US Department of Commerce put NSO Group on its "entity list" last month, effectively barring it from US marketplaces given the evidence that it provided spyware to other authorities, which used it to attack government officials, journalists, entrepreneurs, activists, academics, and embassy workers. Apple issued a permanent injunction prohibiting NSO from using any of its software, applications, or equipment in late November.
Google's Project Zero (GPZ) has now assessed a comparatively new NSO 'zero-click' attack for iOS 14.7.1 and older, calling it "one of the most technically sophisticated exploits we've ever seen".
The NSO's exploit was regarded as "incredible" and "terrifying" by GPZ's Ian Beer and Samuel Groß. The hack generates a "weird" emulated computing atmosphere within an iOS element that manages GIFs but does not ordinarily allow scripting. Nevertheless, this exploit allows the attacker to execute JavaScript-like code in that component to write to arbitrary memory regions - and therefore remotely hack an iPhone.
Citizen Lab, a Canadian security firm, revealed the problem to Apple as part of its collaborative investigation with Amnesty International into NSO's Pegasus mobile spyware program, which can be loaded after jailbreaking an iPhone via an exploit.
This September, Apple fixed the memory corruption flaw in the CoreGraphics component, identified as CVE-2021-30860, in iOS 14.8.
GPZ's Beer and Groß said it showed "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states".
iMessage is the first point of contact for Pegasus on the iPhone. According to the research, this means that a person can be targeted simply by providing their phone number or AppleID username.
The flaw in iMessage is due to the extra functionalities Apple allowed for GIF pictures. In iOS's ImageIO library, Apple employs a "fake gif" method to make standard GIF images loop indefinitely. This method also introduces over 20 more image codecs, providing attackers with a far bigger surface to attack.
"NSO uses the "fake gif" trick to target a vulnerability in the CoreGraphics PDF parser," Beer and Groß explain.
NSO discovered that powerful tool in Apple's usage of the JBIG2 standard for image compression and decompression. Originally, the standard was utilized in outdated Xerox scanners to efficiently convert photos from paper into PDF files only a few kilobytes in size.
The emulated database design, which relied on the JBIG2 part of Apple's CoreGraphics PDF parser, was one of several clever methods NSO devised. Despite JBIG2's lack of scripting features, they were able to write to arbitrary memory addresses using an emulated computer environment and a scripting language similar to JavaScript.
"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory," explains Beer and Groß.
"The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying."