Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group

Google’s Project Zero team has published a technical analysis of the FORCEDENTRY exploit that was used by NSO Group to infect target iPhones with its Pegasus spyware via iMessage.

Citizen Lab discovered FORCEDENTRY on an iPhone owned by a Saudi activist in March; the organization exposed the exploit in September. Apple released patches for the underlying vulnerability, which affected iOS, watchOS, and macOS devices, 10 days after that disclosure.

Project Zero says that it analyzed FORCEDENTRY after Citizen Lab shared a sample of the exploit with assistance from Appleā€™s Security Engineering and Architecture (SEAR) group. (It also notes that neither Citizen Lab nor SEAR necessarily agree with its “editorial opinions.”)

“Based on our research and findings,” Project Zero says, “we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.”

The resulting breakdown covers everything from iMessage’s built-in support for GIFs-which Project Zero helpfully defines as “typically small and low quality animated images popular in meme culture”-to a PDF parser that supports the relatively ancient JBIG2 image codec.

What do GIFs, PDFs, and JBIG2 have to do with compromising a phone via iMessage? Project Zero explains that NSO Group discovered a way to use JBIG2 to achieve the following:

“JBIG2 Does not HAVE SCRIPTING CAPABILITIES, BUT WHEN COMBINED WITH A VULNERABILITY, IT Does indeed Experience THE ABILITY TO EMULATE CIRCUITS OF ARBITRARY LOGIC GATES OPERATING ON ARBITRARY MEMORY. SO WHY NOT Just simply Employ THAT TO BUILD YOUR OWN COMPUTER ARCHITECTURE AND SCRIPT THAT!? THAT’S EXACTLY WHAT THIS Make use of Does indeed. Working with Above 70,000 SEGMENT COMMANDS Major LOGICAL BIT OPERATIONS, THEY DEFINE A SMALL COMPUTER ARCHITECTURE WITH FEATURES SUCH AS REGISTERS AND A FULL 64-BIT ADDER AND COMPARATOR WHICH THEY Employ TO SEARCH MEMORY AND PERFORM ARITHMETIC OPERATIONS. IT’S NOT AS FAST AS JAVASCRIPT, BUT IT’S FUNDAMENTALLY COMPUTATIONALLY EQUIVALENT.”

All of which is to say that NSO Group used an image codec that was made to compress black-and-white PDFs so it could get something “fundamentally computationally equivalent” to the programming language that allows net programs to function onto a good target’s iPhone.

“The bootstrapping functions for the sandbox escape make use of happen to be written to run in this logic circuit and the whole thing runs in this weird, emulated environment created away of a good single decompression pass through a good JBIG2 stream,” Project Zero says. “It’s pretty incredible, and at the same time, pretty horrifying.”

The good news: Apple patched FORCEDENTRY with the release of iOS 14.8 and included additional changes found in iOS 15 to stop similar attacks. The bad news: Project Zero is certainly emptying up its technical research into two blog page posts, and it says the second actually done yet.

But also just simply half of the analysis assists demystify the make use of that led to public outcry, NSO Group appearing set on the Entity List by the US Department of Commerce, and Apple’s lawsuit against the company. NSO Group made Pegasus; today Project Zero is certainly unveiling how it discovered to journey.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here