Google Project Zero Investigates the NSO Group’s FORCEDENTRY Exploit

A detailed technical analysis of the FORCEDENTRY exploit, which was utilized by NSO Group in order to infect target iPhones with its Pegasus spyware through the usage of iMessage, has been disclosed by the Project Zero team at Google.

In March, Citizen Lab detected FORCEDENTRY on an iPhone belonging to a Saudi activist; the organization disclosed the exploit in September. Ten days following that disclosure, Apple distributed updates for the underlying vulnerability, which was present in all of their operating systems, including iOS, watchOS, and macOS.

According to Project Zero, it evaluated FORCEDENTRY after Citizen Lab shared a sample of the exploit with assistance from Apple’s Security Engineering and Architecture (SEAR) division. This was done after Project Zero received the sample. (It also makes notice of the fact that neither Citizen Lab nor SEAR are required to agree with its “editorial opinions.”)

‘We assess this to be one of the most technically sophisticated exploits we’ve ever seen,’ says Project Zero, “based on our research and findings. This further demonstrates that the capabilities NSO provides rival those that were previously thought to be accessible to only a handful of nation states.’

The resulting breakdown covers everything from iMessage’s built-in support for GIFs, which Project Zero helpfully defines as “typically small and low quality animated images popular in meme culture,” to a PDF parser that supports the relatively ancient JBIG2 image codec. The definition of GIFs was helpfully provided by Project Zero.

What role do file formats such as GIFs, PDFs, and JBIG2 play in the process of compromising a phone through iMessage? According to Project Zero, NSO Group discovered a way to employ JBIG2 that allows them to do the following:

"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent."

All of this is to imply that NSO Group utilized an image codec that was designed for the purpose of compressing black-and-white PDFs in order to get something that was “fundamentally computationally comparable” to the programming language that enables web apps to work onto the iPhone of a target.
Project Zero explains that the “bootstrapping operations for the sandbox escape exploit are constructed to execute on this logic circuit,” and that “the entire thing runs in this odd, mimicked environment created out of a single decompression pass via a JBIG2 stream.” “It’s quite fantastic, but at the same time it’s pretty terrifying,” said the speaker.

The good news is that Apple has released a patch for FORCEDENTRY with the release of iOS 14.8, and they have incorporated additional modifications to prevent similar assaults in iOS 15. The bad news is that Project Zero is going to split its technical study over two blog entries, and it says that the second post isn’t going to be finished for a while.

However, even only half of the study helps to demystify the exploit that led to public outcry, the NSO Group being placed on the Entity List by the United States Department of Commerce, and Apple bringing a lawsuit against the corporation. Pegasus was initially developed by NSO Group; today, Project Zero is disclosing how it became capable of flight.


You may also like

Subscribe

Latest articles

An Analysis of the Apple Watch Ultra

The robust Apple Watch Ultra is an amazing adventure-focused...

6 Solutions to the Raspberry Pi Shortage

At the moment, there is a severe lack of...

Fujifilm Fujinon XF 150-600mm F5.6-8 R LM OIS WR Review

The all-weather construction, internal zoom design, and top-notch image...

Disclosure: Written and researched by the Get Gear Tech crew. We spotlight services and products you may discover fascinating. If you happen to purchase them, we could get a small share of the income from the sale from our companions. We could obtain merchandise freed from cost from producers to test. This doesn't drive our resolution as to whether a product is featured or beneficial. We function independently from our promoting group. We welcome your suggestions. Please e-mail us at [email protected] 

GGT
GGT
Get Gear Tech is an affiliate-based website that tests and reviews the best tech, appliances, gear, and more. You can trust our veteran reviewers and experts to find the best stuff just for you. Get Gear Tech strives to be probably the most trusted product suggestion and service on the web. We obsessively test and report on thousands of things annually to suggest one of the best of all the things. We aim to save lots of you time and get rid of the stress of buying, whether or not you’re on the lookout for on a regular basis gear or items for family members. We work with complete editorial independence. Meaning nothing seems on the location as a suggestion until our writers and editors have deemed it one of the best by our rigorous reporting and testing.

DIG DEEPER WITH RELATED posts

find out more!