A few months after Citizen Labs outed NSO group’s ForcedEntry exploit targetting iMessage users, Ian Beer and Samuel Groß of Google Project Zero have posted a detailed technical analysis of how the exploit works.
The researchers collaborated with Apple’s Security Engineering and Architecture (SEAR) group and obtained the ForcedEntry exploit samples from Citizen Labs. The exploit has been labelled “one of the most technically sophisticated exploits” they’ve ever seen.
The exploit is described as a “zero-click” exploit, meaning it doesn’t require interaction with the user. Apple also recently ramped up their security by launching a new feature that informs users if an exploit is targeting them and in addition to suing NSO and its parent company OSY Technologies back in November. Additionally, the US placed NSO on a trade blocklist in the same month.
An unpleasant surprise
The exploit clearly shows that NSO has capabilities previously thought to be in control of only a few nation-states. NSO’s Pegasus software has been known to target human rights activists and journalists on a pretty alarming scale.
The two-part blog post covering the technical analysis also notes that while these exploits previously worked on a one-tap basis, they’ve now shifted to a zero-click basis which means even the most tech-savvy targets don’t know if they’re being targeted as the exploit works quietly in the background.
Besides not using a digital device at all, there’s no way to prevent being exploited by such attacks, with the researchers adding that ” it’s a weapon against which there is no defence.”
The entry point here is iMessage. The app has native support for GIF images — short, compressed animated images popular in the meme culture. However, the library that parses these images, ImageIO, which guesses the correct format of the source file and parses it while ignoring the file extension, is flawed, meaning NSO could sneak in an exploit masked as GIF images.
Essentially, Pegasus hides a PDF containing the malicious exploit code inside of these GIF files, which then works by taking advantage of an integer overflow vulnerability in CoreGraphics, the image parsing library used by Apple.
Apple has fixed the vulnerability, tracked as CVE code CVE-2021-3086 in iOS 14.8 on September 13 this year. Moreover, the iPhone maker reported to the Project Zero researchers that they’d restricted the formats parsed by ImageIO starting from iOS 14.8.1 issued on October 26 and completely removed the GIF code path with decoding taking place in the BlastDoor sandbox starting iOS 15.0 rolled out on September 20 this year.
The researchers also stated that while their exploit works only on iMessage and hence, Apple devices, they’re aware of similar exploits existing for Android devices. However, they don’t yet have an existing sample.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.