NSO Group used fake GIFs to hack Apple iMessage

Controversial Israeli spyware vendor NSO Group was able to hack Apple's iMessage on victim devices by sending fake GIF images that targeted a vulnerability in a PDF parser, a technical analysis by Google's Project Zero security researchers shows.

Victims did not have to click on links in iMessages for their devices to be hacked; they only had to receive the malicious messages which had been booby-trapped with NSO Group's Pegasus spyware.

Once the message had been received, iMessage would parse any image file with the .gif extension before the message itself was displayed.

However, due to how iMessage image handling was set up, NSO Group discovered it was possible to send fake GIF files, exposing over hundreds of thousands of line of code in over 20 image codecs, including a JBIG2 standard vulnerability in the iOS CoreGraphics PDF parser.

The sample NSO Group FORCEDENTRY exploit was found by University of Toronto's Citizen Lab, which discovered traces of the hack on journalists' and activists' devices, and shared it with Project Zero and Apple's Security Engineering and Architecture researchers.

Apple should be commended for making iMessage harder to hack and the improvements they made in late 2020. These improvements have forced attackers to use the next level of exploits in their arsenals, rather than relying exclusively on old tricks.https://t.co/Ypm5EmW9AK

— Tim Willis (@itswillis) December 15, 2021

Researchers Ian Beer and Samuel Groß of Google Project Zero, who conducted the analysis of the FORCEDENTRY exploit, assessed it to be one of the most technically sophisticated exploits they had ever seen.

After analysis of the vulnerability, Apple moved the GIF decoding to take place entirely within  the mobile operating system's BlastDoor "sandbox" that sanitises data in iOS 15.0 that was released in September this year.

Project Zero said it is aware that NSO Group sells zero-click exploits for Google Android with similar capabilities to the iOS one, and is asking for samples of these to study.

Apple and  Facebook have taken legal action against NSO Group for the alleged hacks, and  the spyware vendor has been placed on an official United States blacklist.