MADRID, Dec 16 (Portaltic / EP) –
Project Zero, Google’s cybersecurity research team, has analyzed the ForcedEntry ‘exploit’ that took advantage a vulnerability in iMessage to infect the iPhone with Pegasus, the spyware developed by the Israeli company NSO Group, whose capabilities they consider to rival those of the States.
The ForcedEntry sample they analyzed came from an infected iPhone, provided by CitizenLab. As indicated in a publication, the entry route was through iMessage, and took advantage of the looping Gif playback system.
The attack sends a file that pretends to be a Gif, but that hides more than 20 image codecs for ‘zero click’ attack, that is, it does not need the user to touch it. With this hack, NSO Group targets a vulnerability present in CoreGraphics’ PDF parser, which contains the JBIG2 codec, which is currently not in common use.
“JBIG2 does not have ‘scripting’ capabilities, but when combined with a vulnerability, it has the ability to emulate arbitrary logic gate circuits operating in arbitrary memory “, they point out from Project Zero. What this ‘exploit’ does is use this ability to build its own computer architecture and write the operations.
As they have stated, “the boot operations for the ‘sandbox’ escape exploit are written to be executed in this logic circuit and everything is executed in this strange emulated environment created from a single decompression pass through a JBIG2 stream“.
From the Google team they indicate that “it is quite incredible and, at the same time, quite scary”, and they even consider that “it is one of the most technically sophisticated ‘exploits’“They’ve never seen before, which” demonstrates that the capabilities NSO offers rival those previously thought to be accessible to only a handful of nation states. ”
The vulnerability they have analyzed, identified as (CVE-2021-30860), was fixed on September 13, 2021 in iOS 14.8. Additionally, Apple released new patches in September and October to mitigate this iMessage exploit.