NSO Group — an Israeli technology company known for its spyware — faces sanctions and high-profile lawsuits for its product Pegasus, which is capable of remote zero-click surveillance of smartphones.
Analysis released by Google’s Project Zero group on Wednesday that looks at NSO’s technology ForcedEntry comes with a warning. The technology offers the ability for private businesses to create hacking tools that have the technical sophistication of the most government-backed development groups.
NSO Group is also known for its ForcedEntry iOS exploit, deployed in several targeted attacks against dissidents and journalists this year.
The biggest challenge to businesses and marketers is that the NSO exploit uses a zero-click attack, meaning someone does not need to take action like click on a link to become a victim. They only need to open the page.
“Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense,” Google Project Zero computer security experts Ian Beer and Samuel Groß of Google Project Zero wrote in a post.
Google Project Zero experts found that ForcedEntry used a series of tactics to target Apple's iMessage platform, bypassing protections the company has added in recent years to make such attacks more difficult, and take over devices to install NSO's spyware called Pegasus.
Last month the United States added NSO to the "Entity List” for malicious cyber activities. When a company like the NSO lands on the list, U.S. companies are restricted from doing business with it.
A press release states that NSO tools enabled “foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent."
Citizen Lab, which has been tracking the use of NSO’s spyware for years, managed to recover some Pegasus exploits from an iPhone, which is outlined in the post.
NSO also sells similar zero-click capabilities that target Android devices, but Google Project Zero did not gain samples of those exploits.
Apple released a series of patches in September and October aimed at lessening the impact of ForcedEntry attacks, although ForcedEntry is one of the most technically sophisticated exploits that Project Zero researchers have seen.
ForcedEntry takes advantage of weaknesses in how iMessage accepted and interpreted files like GIFs to trick the platform into opening a malicious PDF without a victim doing anything, Wired points out.
The attack exploited a vulnerability in a legacy compression tool used to process text in images from a physical scanner, enabling NSO Group customers to take over an iPhone completely. The 1990's algorithms used in photocopying and scanning compression are still in modern communication software, with all of the flaws and baggage that come with them.
Project Zero's technical deep dive is significant because it details how ForcedEntry works and it reveals how impressive and dangerous privately developed malware can be, John Scott-Railton, senior researcher at Citizen Lab, told Wired.
“This is on par with serious nation-state capabilities,” he told Wired. “It's really sophisticated stuff, and when it's wielded by an all-gas, no-brakes autocrat, it's totally terrifying.”
It makes him wonder what else is out there being used that is waiting to be discovered. If this is the kind of threat civil society is facing, it is truly an emergency.
“It's pretty incredible, and at the same time, pretty terrifying,” Google Project Zero security analysts wrote in the post.