NSO Group iMessage Zero-Click Exploit Captured in the Wild
Summary
While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.
We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has been in use since at least February 2021.
The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices.
Devices affected by CVE-2021-30860 per Apple: All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.
Discovery
In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an iTunes backup of the device.
Figure 1: The GIF files we found on the phone.
Recent re-analysis of the backup yielded several files with the “.gif” extension in Library/SMS/Attachments that we determined were sent to the phone immediately before it was hacked with NSO Group’s Pegasus spyware.
Payload
The files were:
27 copies of an identical file with the “.gif” extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
Four different files with the “.gif” extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.
The output of the pdfid tool on these four “.gif” files was (NB: the stream had varying length):
