For years, the Israeli spyware vendor NSO Group’s hacking tools have sparked fear and fascination throughout the international community. Such tools have been sold to authoritarian governments all over the world and used against journalists, activists, politicians, and anybody else unfortunate enough to be targeted. The company, which has often been embroiled in scandal, has frequently seemed to operate as if by digital incantation—with commercial exploit attacks that require no phishing and malware that is all-seeing and can reach into the most private digital spaces.
But some of NSO’s dark secrets were very publicly revealed last week, when researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.
The exploit, which was designed to target Apple iPhones, is thought to have led to the hacking of devices in multiple countries—including those of several U.S. State Department officials working in Uganda. Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.
Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.
“Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states,” write researchers Ian Beer and Samuel Groß.
Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.
Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was texted to the victim’s phone via iMessage. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device. The recipient didn’t even need to click on the image to activate its noxious functions.
Technically speaking, what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics—the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files—the Xpdf implementation of JBIG2.
Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.
In an email exchange with Gizmodo, Beer and Groß elaborated a little bit on how all this works. The attack “supplies a JBIG2-compressed file which performs thousands of basic mathematical operations originally meant for decompressing data,” said the researchers. “Through those operations, it first triggers a ‘memory corruption’ vulnerability in JBIG2, and with that modifies memory in a way that then permits access to unrelated memory contents in subsequent operations.”
From there, the program “essentially builds a little computer on top of these basic mathematical operations, which it uses to run code that can now access other memory of the attacked iPhone,” the researchers further explained. After the mini-computer is up and running within the targeted phone, NSO uses it to “run their own code (instead of Apple’s) and use that to bootstrap the malware” from inside the actual device, they added.
Long story short, the NSO exploit is able to commandeer a victim’s phone from the inside out and use the device’s own resources to set up and run its surveillance operations.
The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in September), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.
NSO’s malware and its mysterious hacking methods have been the subject of fear and speculation for years, so it’s kind of amazing to have Google finally pull back the curtain on precisely how this piece of computing black magic actually works.
Yet while the inner workings of this fearsome tool have finally been revealed, the makers of the tool are currently struggling to survive. Indeed, NSO has been having one hell of a tough year—as the company jostles from one disastrous scandal to the next. Ongoing journalistic investigations into the apparent malfeasance of its customer base have been paired with multiple lawsuits from some of the world’s biggest companies, government inquiries, powerful sanctions from the U.S., and fleeing investors and financial support.
Correction: An earlier version of this story said that Apple issued its patch in October. The security updates were issued in September.