Google warns NSO hacking is on par with elite nation-state spies

A man walks past the entrance to the building of the Israeli cyber company NSO Group at one of its branches in the Arava desert on November 11, 2021, in Sapir, Israel.
Enlarge / A man walks past the entrance to the building of the Israeli cyber company NSO Group at one of its branches in the Arava desert on November 11, 2021, in Sapir, Israel.

Amir Levy | fake images

Israeli spyware developer NSO Group has shocked the global security community for years with aggressive Y effective hacking toolswhich can target Android and iOS devices. The company’s products have been so abused by its customers around the world that the NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploit, deployed in a series of attacks targeting activists, dissidents and journalists this year, comes with an even more fundamental caveat: Private companies can produce hacking tools that have the technical ingenuity and sophistication. elite government-backed development groups.

Google’s Project Zero bug search group analyzed ForcedEntry using a sample provided by researchers at the University of Toronto Citizen Lab, who widely published this year on targeted attacks using the exploit. Amnesty International researchers also carried out a major investigation about the hacking tool this year. The exploit mounts a no-click or no-interaction attack, which means that victims do not need to click a link or grant permission for the hack to progress. Project Zero found that ForcedEntry used a number of cunning tactics to target Apple’s iMessage platform, circumventing protections the company added in recent years to make such attacks more difficult, and cleverly hijacking devices to install Apple’s flagship spyware implant. NSO, Pegasus.

Apple released a series of patches in September and October that mitigates the ForcedEntry attack and strengthens iMessage against future similar attacks. But Project Zero researchers write in their analysis that ForcedEntry remains “one of the most technically sophisticated exploits we’ve ever seen.” NSO Group has achieved a level of innovation and refinement, they say, that is generally assumed to be reserved for a small group of state hackers.

“We have not seen an exploit in-the-wild build equivalent capacity from such a limited starting point, interaction with the attacker’s server is not possible, there is no JavaScript or a similar scripting engine loaded, etc.” , Ian Beer and Samuel from Project Zero Groß wrote in an email to WIRED. “There are many within the security community who regard this type of exploitation (remote one-shot code execution) as a solved problem. They believe that the total weight of mitigations provided by mobile devices is too high to build a reliable one-shot exploit. This shows that it is not only possible, but that it is being reliably used in nature against people. “

Apple added an iMessage protection called BlastDoor in iOS 14 of 2020 after Project Zero investigation on the threat of zero click attacks. Beer and Groß say that BlastDoor appears to have managed to make non-interaction iMessage attacks much more difficult to execute. “Making attackers work harder and take more risks is part of the plan to help make zero-day difficult,” they told WIRED. But NSO Group finally found a way.

ForcedEntry exploits weaknesses in the way iMessage accepted and interpreted files as GIFs to trick the platform into opening a malicious PDF without the victim doing anything at all. The attack exploited a vulnerability in a legacy compression tool used to process text into images from a physical scanner, allowing NSO Group customers to fully take over an iPhone. Essentially, the algorithms from the 1990s used in photocopy and scan compression still lurk in modern communication software, with all the flaws and baggage that come with them.

The sophistication doesn’t end there. While many attacks require a command-and-control server to send instructions to successfully placed malware, ForcedEntry configures its own virtualized environment. The entire attack infrastructure can be established and executed within a strange backwater of iMessage, making the attack even more difficult to detect. “It’s pretty incredible and, at the same time, pretty scary,” the Project Zero researchers concluded in their analysis.

Project Zero’s technical in-depth analysis is significant not only because it explains the details of how ForcedEntry works, but because it reveals how impressive and dangerous privately developed malware can be, says John Scott-Railton, principal investigator at Citizen Lab.

“This is on par with the serious capabilities of nation-states,” he says. “It’s really sophisticated stuff, and when driven by an autocrat with no brakes and full throttle, it’s totally terrifying. And it makes you wonder what else is being used right now that is waiting to be discovered. If this is the type of threat facing civil society, it really is an emergency. “

After years of controversy, there may be growing political will to criticize private spyware developers. For example, a group of 18 US congressmen sent a letter to the Treasury and State Departments on Tuesday asking the agencies to sanction the NSO Group and three other international surveillance companies, as Reuters reported for the first time.

“This is not ‘NSO exceptionalism.’ There are many companies that provide similar services that are likely to do similar things, ”Beer and Groß told WIRED. “It was just, this time, NSO was the company that got caught in the act.”

Leave a Reply

Your email address will not be published. Required fields are marked *