The now-patched Pegasus iPhone hack is among the most sophisticated attacks seen in recent years. Googlers from Project Zero have described it as “one of the most technically sophisticated exploits” they have ever seen after studying the iMessage security exploit that has repeatedly made headlines. They say the NSO Group’s infamous tool is on par with what you’d expect from nation-state spying tools when it comes to sophistication. NSO customers, including totalitarian regimes, have used Pegasus to spy on unsuspecting iPhone users without their knowledge. The 0-day attack installs malicious code on iPhones via iMessage without the user even interacting with a message. That’s what made it so scary.
The Pegasus iPhone hack already had dramatic consequences for the company. The US government placed the Israeli security software developer on its ban list following the Pegasus disclosures. Moreover, Apple sued the company after patching the security exploit. Also, Apple has started notifying iPhone users who might have been Pegasus targets in the past.
The list of Pegasus victims usually includes dissidents, journalists, or politicians, rather than regular end-users. Apple already issued patches to neutralize the security vulnerabilities that allowed Pegasus to hack iPhone quietly. But the Google security researchers from Project Zero obtained a sample of Pegasus and determined the way the advanced spying tool worked on iPhones.
NSO Group’s scarily sophisticated iMessage assault
The Googlers at Project Zero published the first part of their Pegasus analysis. They also shared with Wired a brief account of how Pegasus hacked iPhones without the target knowing.
“We haven’t seen an in-the-wild exploit build an equivalent capability from such a limited starting point, no interaction with the attacker’s server possible, no JavaScript or similar scripting engine loaded, etc.,” Project Zero’s Ian Beer and Samuel Groß told Wired.
“There are many within the security community who consider this type of exploitation — single-shot remote code execution — a solved problem. They believe that the sheer weight of mitigations provided by mobile devices is too high for a reliable single-shot exploit to be built. This demonstrates that not only is it possible, it’s being used in the wild reliably against people.”
How Pegasus hacked iPhones
ForcedEntry is the name of the iOS exploit that made the Pegasus iPhone hacks possible. The NSO hackers figured out a way to take advantage of the way iMessage handles GIF file playback to sneak in a PDF file masquerading as a GIF. They then used a vulnerability in a compression tool that processes text in images from a physical scanner. This tool dating back from the 1990s still finds its way in modern computers like the iPhone.
If that’s not enough, ForcedEntry built a virtual computer of sorts that ran “within a strange backwater of iMessage,” per Wired. That’s because malware needs to converse with a command-and-control center that would send up instructions. This behavior made the attack even harder to detect.
Again, Pegasus did not require any input from the user. The attacker only needed a phone number or Apple ID to send the payload via iMessage. No message would show up on the screen. The iPhone hack would succeed as soon as the invisible message hits the iPhone. The target would have no idea someone broke into their iPhone from then on.
“It’s pretty incredible and, at the same time, pretty terrifying,” the Project Zero researchers said of ForcedEntry.
iPhone users running the latest iOS versions have anti-Pegasus protections in place. That doesn’t mean similar security companies have stopped devising spying tools for iPhone, just that the ForcedEntry attack will no longer work on devices running the latest software.
Also, Pegasus targets have started receiving notifications from Apple about the hack. If you were wondering whether someone had spied on you with Pegasus, you’d have known by now.