Google's security researchers delved into one of NSO Group's zero-click iMessages and revealed the sophistication of the company's attack. Google Project Zero notes that the ForcedEntry zero-click vulnerability — which has been used to target activists and journalists — is "one of the most sophisticated vulnerabilities in technology we've ever seen."
In addition, it illustrates that the capabilities of the NSO Group are comparable to those of national actors.
Apple patched the zero-click vulnerability in iOS 14.8 in mid-September 2021, designated CVE-2021-30860.
The vulnerability goes beyond the so-called one-click click, which relies on the target to click on a link. Project Zero noted that the initial entry point for the PegASUS software developed by NSO Group was iMessage's encrypted messaging platform. The researchers wrote: "This means that only the victim needs to be targeted with their phone number or AppleID username." ”
Once a message is sent to the user, the vulnerability can rely on the vulnerability in the way iMessage accepts and decodes files such as GIF images. From there, it tricks the platform into opening malicious PDFs without any interaction from the user.
More specifically, the exact vulnerability lies in a traditional compression tool for identifying image Chinese. Once leveraged, however, it allows NSO Group customers to take over an iPhone entirely.
Signs of the sophistication of the attack go beyond the initial exploitation. According to Project Zero, ForcedEntry has even built its own virtualized command and control environment instead of communicating directly with servers, which makes it harder to spot.
Attacks by NSO groups like ForcedEntry have been used repeatedly by the government to attack journalists, activists and political dissidents. In at least one case, NSO group spyware was used to launch targeted attacks against U.S. State Department officials.
Apple sued the NSO group as early as November to seek to hold the group accountable for its surveillance of iPhone users. In December, it was reported that the NSO Group was considering abandoning its Pegasus spyware under pressure from lawsuits and criticism.
![Google researchers reveal NSO's Apple iPhone "zero click" attack[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)