Deconstructing NSO Group's FORCEDENTRY Zero-Click Exploit
A zero-click exploit is a cyberattack that requires no interaction from the victim. Unlike traditional phishing attacks that need a user to click a link or open a file, these exploits can compromise a device silently, making them incredibly dangerous and difficult to detect.
The "FORCEDENTRY" exploit, discovered by Citizen Lab and analyzed by Google Project Zero, is a prime example of this new frontier in cyber warfare.
The exploit targeted a vulnerability in the way iMessage handled JBIG2 images, a format used for compressing black and white images in PDFs. The attackers found a way to manipulate the logical operations (AND, OR, XOR) within the JBIG2 decompression process to create a powerful, albeit limited, computational environment.
By carefully crafting a series of JBIG2 segments, the attackers could perform logical operations on memory, effectively building their own logic gates. This allowed them to write data outside of the intended memory boundaries, achieving the first step towards full device control.
The initial exploit was limited. To overcome this, the attackers built a fully functional virtual computer inside the JBIG2 decompression process. This virtual CPU had its own memory, registers, and a simple instruction set, making it "Turing complete" and capable of running any program.
The virtual CPU was a brilliant solution to a complex problem. It allowed the attackers to write and execute a small program that could then disable security features and call more powerful system functions, effectively bridging the gap from a limited memory corruption vulnerability to full code execution.
The initial entry point via a malicious iMessage.
The virtual CPU runs a small program to escape the iMessage sandbox.
The exploit gains higher privileges on the device.
The final payload is installed, giving the attackers full control.
In response to these attacks, Apple introduced "BlastDoor" in iOS 14. This new security feature acts as a sandbox for iMessage, isolating and inspecting incoming messages in a separate, secure environment. If a message is malicious, it is safely detonated before it can harm the rest of the system.