How NSO Group’s iPhone Hacking Exploit Works

Photo: Amir Levy (Getty Images)

For years, Israeli spyware vendor NSO Group has fueled fear and fascination with the international community through its hacking tools, such as those sold to authoritarian governments around the world and used in return for journalists, activists, politicians and someone else unfortunately to be the target. The company, often embroiled in scandal, has often appeared to operate as if by digital incantation – with commercial exploit attacks that require no phishing and malware that is all-seeing and can reach into the most private of digital spaces.

But some of NSO’s dark secrets were revealed very publicly last week, when researchers managed to technically deconstruct how one of the company’s infamous “zero-click” attacks works. Indeed, researchers with Google’s Project Zero published a detailed breakdown that shows how an NSO exploit called ‘FORCEDENTRY’ can quickly and silently take over a phone.

It is thought that the exploit, which is designed to target Apple iPhones, led to the hacking from devices in multiple countries, including that of several US State Department officials working in Uganda. The first details on this were recorded by burger lab, a research unit of the University of Toronto that has regularly published research related to NSO’s activities. Citizen Lab researchers managed to get hold of phones subject to the company’s “zero-click” attacks and published in September first investigation about how they worked. Around the same time, Apple announced that it was sue NSO and also released security updates to address the issues associated with the exploit.

Citizen Lab eventually shared its findings with Google’s researchers, who finally released their analysis of the attacks last week. As you’d expect, it’s some pretty incredible – and terrifying – stuff.

“Based on our research and findings, we rate this as one of the most technically advanced exploits we’ve ever seen, further demonstrating that the capabilities offered by NSO rival those previously thought only available to a handful of nation-states.” accessible,” he writes. researchers Ian Beer and Samuel Gross.

G/O Media may receive a commission

FORCED: Trojan GIFs and a computer within a computer

Probably the scariest thing about FORCEDENTRY is that, according to Google’s researchers, all it takes to hack into a person is their phone number or their AppleID username.

Using one of those identifiers, the user of NSO’s exploit can quite easily compromise any device they want. The attack process was simple: what appeared to be a GIF was sent to the victim’s phone via iMessage. However, the image in question wasn’t actually a GIF; instead, it was a malicious PDF dressed up with a .gif extension. Inside the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources on the targeted device. The recipient didn’t even have to click on the image to activate the malicious features.

Technically speaking, what FORCEDENTRY did was exploit a zero-day vulnerability in Apple’s image rendering library, CoreGraphics-the software that iOS uses to process images and media on the device. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free open source code that iOS apparently used to encrypt and decrypt PDF files – the xpdf implementation of JBIG2.

This is where the attack really gets wild. By exploiting the image processing vulnerability, FORCEDENTRY was able to penetrate the target device and use the phone’s own memory to create a rudimentary virtual machine, basically a ‘computer within a computer’. From there, the machine was able to “boot” NSO’s Pegasus malware from within, eventually sending data back to whoever deployed the exploit.

In an email exchange with Gizmodo, Beer and Groß explained a bit about how this all works. The attack “delivers a JBIG2-compressed file that performs thousands of basic math operations originally intended for data decompression,” the researchers said. “Through those operations, it first causes a ‘memory corruption’ vulnerability in JBIG2 and thereby modifies memory in a way that then allows access to unrelated memory contents on subsequent operations.”

From there, the program “essentially builds a small computer on top of these basic math operations, which it uses to execute code that now accesses other memory from the attacked iPhone,” the researchers further explained. After the minicomputer in the targeted phone boots up, NSO uses it to “run their own code (rather than Apple’s) and use that to launch the malware” from the actual device, she added.

Long story short, the NSO exploit is able to get hold of a victim’s phone from within and use the device’s own resources to set up and run the surveillance activities.

NSO’s troubles continue

The vulnerability related to this exploit has been fixed in Apple’s iOS 14.8 Update (released in September), although some computer researchers warned that if a person’s phone was compromised by Pegasus before the update, a patch might not do as much to keep intruders out.

NSO’s malware and its mysterious hacking methods have been the subject of fear and speculation for years, so it’s pretty amazing that Google is finally pulling the curtain on how this piece of black computer magic actually works.

But while the inner workings of this terrifying tool have finally been revealed, the tool’s creators are currently struggling to survive. NSO has indeed had a very difficult year as the company struggles from one disastrous scandal to another. Ongoing journalistic investigations into the apparent malpractice of its customer base have been accompanied by multiple lawsuits from some of the world’s largest corporations, government investigations, strong US sanctions and fleeing investors and financial aid.

Correction: An earlier version of this story stated that Apple released its patch in October. The security updates were released in September.

Stay tuned for more such real estate news and updates at

Leave a Comment