Israeli Spyware NSO Group developer has shocked the global security community for many years with aggression and effective hacking tool can target both Android and iOS devices. The company’s products have been abused by customers around the world, so much so that NSO Group now faces sanctions, high-profile lawsuits and an uncertain future. But one new analysis The spyware maker’s iOS exploit “ForcedEntry” — deployed in several targeted attacks against activists, dissidents, and journalists this year — comes with with a more basic caveat: Private businesses can produce technically ingenious and sophisticated hacking tools most government-backed elite development teams.
Google’s Project Zero bug-hunting team analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, widely published this year about targeted attacks using exploits. Researchers from Amnesty International also conduct important research about hacking tools this year. The exploit is tied to a “no-click” or non-interactive attack, which means that the victim does not need to click on a link or grant permission for the attack to continue. Project Zero discovered that ForcedEntry used a series of clever tactics to target Apple’s iMessage platform, bypassing the protections the company has added in recent years to make attacks Such attacks become more difficult and blatantly hijack devices to install NSO’s flagship spyware, Pegasus.
Apple released a series of patches in September and October to mitigate the ForcedEntry attack and fortify iMessage against similar attacks in the future. But the Project Zero researchers write in their analysis that ForcedEntry remains “one of the most technically sophisticated exploits we’ve ever seen.” According to them, the NSO Group has achieved a level of innovation and improvement, which is often thought to be reserved for a small group of national hackers.
“We have not seen a native miner build an equivalent capability from such a limited starting point, without the ability to interact with the attacker’s server, without loading JavaScript or the centralized engine. similar commands, etc,” Ian Beer and Samuel Groß of Project Zero wrote in an email to WIRED. “There are many in the security community that consider this type of exploit – one-time remote code execution – to be a solved problem. They believe that the absolute weight of mobile-provided mitigations is too high to be able to build a reliable one-shot mining method. This demonstrates that it is not only possible but that it can be reliably used in nature against humans.”
Apple added an iMessage protection called “BlastDoor” in iOS 14 of 2020 on the platform of research from Project Zero about the threat of zero-click attacks. Beer and Groß say that BlastDoor seems to have succeeded in making non-interactive iMessage attacks much more difficult to execute. They told WIRED: “Making attackers work harder and take more risks is part of the plan to help make zero days difficult. But NSO Group finally found a way around.
ForcedEntry takes advantage of weaknesses in the way iMessage accepts and interprets files like GIFs to trick the platform into opening a malicious PDF file without the victim doing anything. The attack exploited a vulnerability in an old compression engine used to process text in images from a physical scanner, allowing NSO Group customers to take full control of their iPhones. Essentially, the 1990s algorithms used in copy and scan compression are still lurking in modern communications software, with all the vulnerabilities and baggage that comes with them.
