Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link.
Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices.
Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.
Security researchers at Canada-based Citizen Lab reported the bug to Apple as part of its joint research with Amnesty International into NSO’s Pegasus mobile spyware package, which can be installed after using an exploit that jailbreaks an iPhone.
Apple patched the memory corruption bug, tracked as CVE-2021-30860, in the CoreGraphics component in iOS 14.8 this September.
Citizen Lab also shared a sample of NSO’s iMessage-based zero-click exploit for GPZ researchers to analyze. The attack exploits the code iMessage uses to support GIF images.
GPZ’s Beer and Groß said it showed “the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states”.
The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username, the report notes. Even advanced users who know not to click links can be compromised.
The weakness iMessage exposed comes via extra features Apple enabled for GIF images. Apple uses a ‘fake gif’ trick” in iOS’s ImageIO library to make normal GIF images loop endlessly. That trick also happens to introduce over 20 additional image codecs, giving attackers a much larger surface to attack.
“NSO uses the “fake gif” trick to target a vulnerability in the CoreGraphics PDF parser,” Beer and Groß explain.
NSO found that powerful tool in Apple’s use of the JBIG2 standard for compressing and decompressing images. The standard was originally used in old Xerox scanners to efficiently transform images from paper into PDF files of just a few kilobytes in size.
“JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory,” explain Beer and Groß.
“The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.”