How NSO Group’s iPhone-Hacking Exploit Works

How NSO Group’s iPhone-Hacking Exploit Works
Photo: Amir Levy, Getty Images

For years, the Israeli spyware vendor NSO Group has sparked fear and fascination in the hearts of the international community due to its hacking products — the likes of which have been sold to authoritarian governments throughout the world and used against journalists, activists, politicians, and anybody else unfortunate enough to be targeted. The company, which has often been embroiled in scandal, has frequently seemed to operate as if by digital incantation — with commercial exploit attacks that require no phishing and malware that is all-seeing and can reach into the most private digital spaces.

But some of NSO’s secrets were very publicly blown open last week, when researchers managed to technically deconstruct how one of the company’s notorious “zero-click” attacks work. On Dec. 15, researchers with Google’s Project Zero published a detailed break-down of how an NSO exploit, dubbed “FORCEDENTRY,” works.

FORCEDENTRY was targeted to compromise Apple iPhones and is thought to have led to the hacking of a limited number of devices. Initial details about the exploit were captured by Citizen Lab, a research unit at the University of Toronto. Citizen Lab researchers managed to get ahold of phones that had been subjected to NSO “zero-click” attacks and published initial research on how they worked in September. Not long afterward, Apple announced it was suing NSO and also published a patch for the vulnerability associated with the exploit.

Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the exploit. As you might expect, it’s pretty incredible — and frightening — stuff.

“Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states,” write researchers Ian Beer and Samuel Groß.

How the NSO Exploit Worked: Trojan GIFs and a Computer Within a Computer

Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.

Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was sent to the victim’s phone. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device. The recipient didn’t even need to click on the image to activate its noxious functions.

Technically speaking, what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics — the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, was in an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files — specifically, the Xpdf implementation of JBIG2.

Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.

In an email exchange with Gizmodo, Beer and Groß elaborated a little bit on how all this works. The attack “supplies a JBIG2-compressed file which performs thousands of basic mathematical operations originally meant for decompressing data,” said the researchers. “Through those operations, it first triggers a ‘memory corruption’ vulnerability in JBIG2, and with that modifies memory in a way that then permits access to unrelated memory contents in subsequent operations.”

From there, the program “essentially builds a little computer on top of these basic mathematical operations, which it uses to run code that can now access other memory of the attacked iPhone,” the researchers further explained. After the mini-computer is up and running within the targeted phone, NSO uses it to “run their own code (instead of Apple’s) and use that to bootstrap the malware” from inside the actual device, they added.

Long story short, the NSO exploit is able to commandeer a victim’s phone from the inside out and use the device’s own resources to set up and run its surveillance operations.

Apple’s Lawsuit and Other Troubles

The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in October), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.

NSO’s malware and its mysterious hacking methods have been the subject of fear and speculation for years, so it’s kind of amazing to have Google finally pull back the curtain on precisely how this piece of computing black magic actually works.

Yet while the inner workings of this fearsome tool have finally been revealed, the makers of the tool are currently struggling to survive. Indeed, NSO has been having one hell of a tough year — as the company jostles from one disastrous scandal to the next. Ongoing journalistic investigations into the apparent malfeasance of its customer base have been paired with multiple lawsuits from some of the world’s biggest companies, government inquiries, powerful sanctions from the U.S., and fleeing investors and financial support.