FORCEDENTRY is a “zero click” exploit of Apple’s iMessage software. Unlike “phishing” attacks which require the target to click on a message or open a file, simple receipt of a message containing the attack code is sufficient to compromise the victim’s device, allowing arbitrary information to be extracted, modified, deleted, and/or spyware and other malicious software installed without the owner’s knowledge. It has been attributed to the shadowy Israeli spyware company, NSO Group, whose not-so-shadowy Web site proclaims them as providing “Cyber intelligence for global security and stability” and describes their mission as “NSO creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
Well, some of those “government agencies” are pretty shady and disreputable. A forensic analysis of mobile phones by Amnesty International identified 11 countries using NSO spyware against their targets: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.
Apple has been fighting an ongoing battle against NSO spyware, both on the technological and legal fronts, and thought they’d closed the door with a sandbox system called “BlastDoor” introduced in IOS 14. Well, FORCEDENTRY made it through the BlastDoor, exploiting a vulnerability which is present in iOS, macOS, and even WatchOS. Apple has since issued patches which it claims prevent the exploit, but of course any unpatched systems remain vulnerable.
Now, Google’s Project Zero has released “A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution”, and it is wild. As the analysis states, “Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.”
You really need to read the whole thing to appreciate how wickedly clever the exploit is and how twisted a mind it must have taken to think of it and make it a reality. By tricking the messaging software into thinking it was displaying an animated GIF while actually decoding a PDF document, then using an obscure and mostly obsolete image compression scheme called JBIG2 whose decoder could be tricked into performing a buffer overflow, FORCEDENTRY tricks the system into opening up access to a large block of memory. It is then able to use the JBIG2 pixel operations to create “logic gates” which can perform the AND, OR, XOR, and XNOR Boolean operations, which of course are more than sufficient to assemble a Turing-complete universal computer.
And that’s exactly what they did! With a sequence of more than 70,000 JBIG2 commands, they assemble a universal computer with registers and a 64 bit adder and comparator with access to most of memory, which is then used to execute code that defeats the BlastDoor sandbox and installs the Pegasus spyware. As the analysis concludes, “The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.”