Google’s Project Zero team has published a technical analysis of the FORCEDENTRY exploit that was used by NSO Group to infect target iPhones with its Pegasus spyware via iMessage.
Citizen Lab discovered FORCEDENTRY on an iPhone owned by a Saudi activist in March; the organization revealed the exploit in September. Apple released patches for the underlying vulnerability, which affected iOS, watchOS, and macOS devices, 10 days after that disclosure.
Project Zero says that it analyzed FORCEDENTRY after Citizen Lab shared a sample of the exploit with assistance from Apple’s Security Engineering and Architecture (SEAR) group. (It also notes that neither Citizen Lab nor SEAR necessarily agree with its “editorial opinions.”)
“Based on our research and findings,” Project Zero says, “we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.”
The resulting breakdown covers everything from iMessage’s built-in support for GIFs—which Project Zero helpfully defines as “typically small and low quality animated images popular in meme culture”—to a PDF parser that supports the relatively ancient JBIG2 image codec.
What do GIFs, PDFs, and JBIG2 have to do with compromising a phone via iMessage? Project Zero explains that NSO Group found a way to use JBIG2 to achieve the following:
“JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”
All of which is to say that NSO Group used an image codec that was made to compress black-and-white PDFs so it could get something “fundamentally computationally equivalent” to the programming language that allows web apps to function onto a target’s iPhone.
“The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream,” Project Zero says. “It’s pretty incredible, and at the same time, pretty terrifying.”
The good news: Apple patched FORCEDENTRY with the release of iOS 14.8 and included additional changes in iOS 15 to prevent similar attacks. The bad news: Project Zero is breaking up its technical analysis into two blog posts, and it says the second isn’t finished yet.
But even just half of the analysis helps demystify the exploit that led to public outcry, NSO Group being put on the Entity List by the US Department of Commerce, and Apple’s lawsuit against the company. NSO Group created Pegasus; now Project Zero is revealing how it learned to fly.
