Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking tools that can target both Android and iOS devices. The company’s products have been so abused by its customers around the world that the NSO Group now faces sanctions, high-profile lawsuits and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploitation – embedded in a series of targeted attacks on activists, dissidents and journalists this year – comes with an even more fundamental warning: Private companies can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.
Google’s Project Zero debugging team analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, which this year published a lot about targeted attacks that exploited exploitation. Researchers from Amnesty International also conducted important research on the hacker tool this year. Exploitation launches a zero-click, or non-interactional, attack, which means victims do not have to click on a link or give permission for the hack to proceed. Project Zero found that ForcedEntry used a series of shrewd tactics to target Apple’s iMessage platform, circumvent protections the company has added in recent years to make such attacks more difficult, and deftly take over devices to install NSO’s flagship spyware -Pegasus implants.
Apple released a series of patches in September and October that mitigate the ForcedEntry attack and harden iMessage against future similar attacks. But Project Zero researchers write in their analysis that ForcedEntry is still “one of the most technically sophisticated farms we’ve ever seen.” The NSO Group has achieved a level of innovation and sophistication, say those who are generally believed to be reserved for a small cadre of nation-state hackers.
Apple added an iMessage protection called BlastDoor in 2020’s iOS 14 on the heels of Project Zero research on the threat of zero-click attacks. Beer and Groß say BlastDoor seems to have succeeded in making interactionless iMessage attacks much harder to deliver. “Getting attackers to work harder and take more risks is part of the plan to help make zero-day hard,” they told WIRED. But the NSO Group eventually found a way through.
ForcedEntry exploits vulnerabilities in how iMessage accepted and interpreted files as GIFs to trick the platform into opening a malicious PDF file without a victim doing anything at all. The attack exploited a vulnerability in an older compression tool used to process text in images from a physical scanner, enabling NSO Group customers to take over an iPhone completely. Basically, the algorithms of the 1990s used for photocopying and scanning compression still lurk in modern communication software with all the flaws and baggage that comes with them.
The sophistication does not end there. While many attacks require a so-called command-and-control server to send instructions to successfully placed malware, ForcedEntry sets up its own virtualized environment. The entire attack infrastructure can establish itself and run within a strange stalemate of iMessage, making the attack even harder to detect. “It’s pretty incredible and at the same time pretty scary,” the Project Zero researchers concluded in their analysis.
Project Zero’s technical dive is significant, not only because it explains the details of how ForcedEntry works, but because it reveals how impressive and dangerous privately developed malware can be, says John Scott-Railton, senior researcher at Citizen Lab.
“This is on a par with serious nation-state capabilities,” he says. “It’s really sophisticated stuff, and when it’s used by an autocrat with full throttle and no brakes, it’s completely scary. And it’s just making you wonder what else is out there being used right now, like “just waiting to be discovered. If that’s the kind of threat civil society faces, it’s really an emergency.”
After years of controversy, there may be a growing political will to call up private spyware developers. For example, a group of 18 U.S. congressmen on Tuesday sent a letter to the Treasury Department and the State Department urging the agencies to sanction the NSO Group and three other international monitoring companies, as first reported by Reuters.
“This is not ‘NSO exceptionalism’. There are many companies providing similar services that are likely to do similar things,” Beer and Groß told WIRED. “It was just, this time, NSO was the company that was taken on board. work.”