Zero click exploit for iPhone

This is amazing (emphasis added):

Project Zero said the exploit effectively created “a weapon against which there is no defense,” noting that zero-click exploits work silently in the background and does not even require the target to click on a link or surf to a malicious website. “Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” the research team said.

The researchers confirmed the initial entry point for Pegasus was Apple’s proprietary iMessage that ships by default on iPhones, iPads and macOS devices.  By targeting iMessage, the NSO Group hackers needed only a phone number of an AppleID username to take aim and fire eavesdropping implants.

Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white.

Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit.

JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does,” the researchers explained.

Using over 70,000 segment commands defining logical bit operations, [NSO’s hackers] define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”

“The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying,” the Google researchers added.

I wonder how many other zero click exploits are active in the wild right now.

We live in interesting times.


6 thoughts on “Zero click exploit for iPhone

  1. I’m a complete moron when it comes to these things. But with all this back-door crap going on. Would it be wrong to think one could put the whole operating system on a removable chip? Also, the desired program on a different chip?
    That way you can just buy an actual chip, then plug and play? If it gets hacked or screwed up. Just pull the old one, plug in a new one.
    Kind of like SIM cards? Just wonder’in?
    Seems to me there’s a whole line of business there. In devices and software.

    • I don’t understand the suggested advantage of the removable chip versus updating your firmware and/or programs on disk.

      Perhaps you don’t understand that it is very rare for there to be actual physical changes in the O/S or application programs in firmware and/or on disk.

      Perhaps you are suggesting that no O/S or program is allowed to execute from writable storage. It must all be run from read only storage. That would have some security advantages, but it also would make adding new programs impractical. A typical smartphone may have 30 apps install. These include games, GPS, compass, carpenter level, external ballistics, reloading tools, secure messaging, social apps (Facebook, Twitter, Tinder, etc.), retail store applications, etc. Having 50 slots on the phone with one slot for each application isn’t going to be market competitive or even practical. Updates would be time consuming and extremely expensive compared to today’s downloading.

      And many vulnerabilities, such as this one, run entirely in memory. They can highjack some program, such as the browser, and steal private information such as your contacts, pictures, files, etc. and send it to a remote server without ever writing a file to long term storage.

      • Yes, I can see that would be very impractical. Told you I was a moron.
        I was thinking it was altering your O/S.
        I’ll just shut up now.
        Second thought, I think that’s something else I don’t know how to do.
        Thanks for putting up with me Joe.

  2. Every time something new like this is announced, I wonder at the trust people put into their electronics. And they call the Middle Ages the Age of Faith.

    Robert Heinlein’s father often said the more complicated the law, the more opportunity for a scoundrel. These things are so complex, the same principle operates here, too.

  3. It doesn’t seem like exactly a zero-click exploit if it starts by needing the victim to download a booby trapped PDF file. Given that description, the workaround seems to be “don’t download PDF files until Apple has shipped a patch for this bug”.

    Meanwhile, it does seem that NSO and all its staff need to be placed on the Dept. of Commerce “Entity list” — the same list where people like Kim Jong Eun and his ilk are found, the one that bans any and all commerce with the named party.

Comments are closed.