A man walks by the building entrance of NSO Group at one of its branches in the Arava Desert.
NSO Group has shocked the global security community with their hacking tools that can target both theAndroid andiOS devices. The company's products have been abused by its customers around the world and now faces sanctions, high-profile lawsuits, and an uncertain future. A new analysis of the ForcedEntry iOS exploit, which was used in a number of targeted attacks against activists, dissidents, and journalists this year, warns that private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most.
Project Zero analyzed ForcedEntry using a sample provided by researchers at the University of Toronto's Citizen Lab, which published extensively this year about targeted attacks utilizing the exploit. The researchers fromAmnesty International conducted important research about the hacking tool. The exploit mounts a zero-click, or interactionless, attack, meaning that victims don't need to click a link or grant permission for the hack to move forward. Project Zero found that ForcedEntry used a series of clever tactics to target Apple's iMessage platform, circumvent the protections the company added in recent years to make such attacks more difficult, and take over devices to install NSO's flagship spyware implant.
In September and October, Apple released a series of patches that mitigated the ForcedEntry attack. ForcedEntry is still one of the most technically sophisticated exploits we've ever seen, according to the Project Zero researchers. NSO Group has achieved a level of innovation and refinement that is assumed to be reserved for a small group of nation-state hackers.
Project Zero's Ian Beer and Samuel Gro wrote that they haven't seen an in-the-wild exploit build an equivalent capability from such a limited starting point. There are many within the security community who think single-shot remote code execution is a solved problem. They believe that the weight of the mobile devices' security features is too high for a reliable single-shot exploit to be built. This shows that it's possible in the wild and that it's being used against people.
Advertisement
Project Zero conducted research about the threat of zero-click attacks and found that Apple added an iMessage protection called BlastDoor. Beer and Gro say that BlastDoor has made interactionless iMessage attacks more difficult to deliver. Making attackers work harder and taking more risks is part of the plan to make zero-day hard. NSO Group found a way through.
ForcedEntry took advantage of weaknesses in how iMessage accepted and interpreted files like GIFs to trick the platform into opening a malicious PDF without a victim doing anything at all. NSO Group customers were able to take over an Apple device because of a vulnerability in a compression tool used to process text in images. Modern communication software still has flaws and baggage that come with 1990's algorithms, which are used in photocopying and scanning compression.
The sophistication goes on. ForcedEntry sets up its own environment, unlike a command-and-control server, which is required for many attacks. The infrastructure of the attack can run within a strange backwater of iMessage, making it harder to detect. The Project Zero researchers concluded in their analysis that it was pretty terrifying.
John Scott-Railton, senior researcher at Citizen Lab, says that Project Zero's technical deep dive is significant because it shows how dangerous privately developed software can be.
He says that this is on par with serious nation-state capabilities. It's really sophisticated, and when it's wielded by an autocrat, it's terrifying. It makes you wonder what else is out there being used. If this is the kind of threat civil society is facing, it is an emergency.
After years of controversy, there may be growing political will to call out private software developers. A group of 18 US congresspeople sent a letter to the Treasury and State Departments on Tuesday calling on them to sanction NSO Group and three other international surveillance companies.
This is not NSO exceptionalism. Beer and Gro told WIRED that there are many companies that provide similar services. The company that was caught in the act was NSO.
