A detailed technical analysis of the FORCEDENTRY exploit, which was utilized by NSO Group in order to infect target iPhones with its Pegasus spyware through the usage of iMessage, has been disclosed by the Project Zero team at Google.
In March, Citizen Lab detected FORCEDENTRY on an iPhone belonging to a Saudi activist; the organization disclosed the exploit in September. Ten days following that disclosure, Apple distributed updates for the underlying vulnerability, which was present in all of their operating systems, including iOS, watchOS, and macOS.
According to Project Zero, it evaluated FORCEDENTRY after Citizen Lab shared a sample of the exploit with assistance from Apple’s Security Engineering and Architecture (SEAR) division. This was done after Project Zero received the sample. (It also makes notice of the fact that neither Citizen Lab nor SEAR are required to agree with its “editorial opinions.”)
‘We assess this to be one of the most technically sophisticated exploits we’ve ever seen,’ says Project Zero, “based on our research and findings. This further demonstrates that the capabilities NSO provides rival those that were previously thought to be accessible to only a handful of nation states.’
The resulting breakdown covers everything from iMessage’s built-in support for GIFs, which Project Zero helpfully defines as “typically small and low quality animated images popular in meme culture,” to a PDF parser that supports the relatively ancient JBIG2 image codec. The definition of GIFs was helpfully provided by Project Zero.
What role do file formats such as GIFs, PDFs, and JBIG2 play in the process of compromising a phone through iMessage? According to Project Zero, NSO Group discovered a way to employ JBIG2 that allows them to do the following:
"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent."
All of this is to imply that NSO Group utilized an image codec that was designed for the purpose of compressing black-and-white PDFs in order to get something that was “fundamentally computationally comparable” to the programming language that enables web apps to work onto the iPhone of a target.
Project Zero explains that the “bootstrapping operations for the sandbox escape exploit are constructed to execute on this logic circuit,” and that “the entire thing runs in this odd, mimicked environment created out of a single decompression pass via a JBIG2 stream.” “It’s quite fantastic, but at the same time it’s pretty terrifying,” said the speaker.
The good news is that Apple has released a patch for FORCEDENTRY with the release of iOS 14.8, and they have incorporated additional modifications to prevent similar assaults in iOS 15. The bad news is that Project Zero is going to split its technical study over two blog entries, and it says that the second post isn’t going to be finished for a while.
However, even only half of the study helps to demystify the exploit that led to public outcry, the NSO Group being placed on the Entity List by the United States Department of Commerce, and Apple bringing a lawsuit against the corporation. Pegasus was initially developed by NSO Group; today, Project Zero is disclosing how it became capable of flight.
