Google has explained how surveillance company NSO Group developed an exploit that would allow users of its software to gain access to an iPhone and install spyware – without a target ever even clicking a link. 

Last month, the US Department of Commerce added NSO Group to its “entity list”, largely banning it from US markets due to evidence it supplied spyware to foreign governments that used it to target government officials, journalists, business people, activists, academics, and embassy workers. In late November, Apple filed for a permanent injunction banning NSO from using any of its software, services or devices

Now Google’s Project Zero (GPZ) has analyzed a relatively new NSO ‘zero-click’ exploit for iOS 14.7.1 and earlier, and deemed it “one of the most technically sophisticated exploits we’ve ever seen”.

SEE: This mysterious malware could threaten millions of routers and IoT devices

GPZ’s Ian Beer and Samuel Groß described the NSO’s exploit as both “incredible” and “terrifying”. The exploit creates a “weird” emulated computer environment within a component of iOS that handles GIFs but doesn’t normally support scripting capabilities. This exploit, however, allows an attacker to run JavaScript-like code in that component in order write to arbitrary memory locations – and remotely hack an iPhone.   

Security researchers at Canada-based Citizen Lab reported the bug to Apple as part of its joint research with Amnesty International into NSO’s Pegasus mobile spyware package, which can be installed after using an exploit that jailbreaks an iPhone.

Apple patched the memory corruption bug, tracked as CVE-2021-30860, in the CoreGraphics component in iOS 14.8 this September

Citizen Lab also shared a sample of NSO’s iMessage-based zero-click exploit for GPZ researchers to analyze. The attack exploits the code iMessage uses to support GIF images. 

GPZ’s Beer and Groß said it showed “the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states”. 

The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username, the report notes. Even advanced users who know not to click links can be compromised.

The weakness iMessage exposed comes via extra features Apple enabled for GIF images. Apple uses a ‘fake gif’ trick” in iOS’s ImageIO library to make normal GIF images loop endlessly. That trick also happens to introduce over 20 additional image codecs, giving attackers a much larger surface to attack. 

“NSO uses the “fake gif” trick to target a vulnerability in the CoreGraphics PDF parser,” Beer and Groß explain. 

The PDF parser is an interesting target. PDF historically was a popular target for exploitation because it was complex software and everyone used it. Also, Javascript in PDFs made it easier to exploit, they explain. 

As the GPZ researchers note: “The CoreGraphics PDF parser doesn’t seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…”

NSO found that powerful tool in Apple’s use of the JBIG2 standard for compressing and decompressing images. The standard was originally used in old Xerox scanners to efficiently transform images from paper into PDF files of just a few kilobytes in size.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Among several crafty tricks NSO developed was the emulated computer architecture that relied on the JBIG2 portion of Apple’s CoreGraphics PDF parser. That emulated computer environment allowed them to write to arbitrary memory addresses with a scripting language not unlike JavaScript, despite JBIG2 lacking scripting capabilities. 

“JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory,” explain Beer and Groß.

“So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.

“The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.”