As they dissect the recently patched Apple bug that was used to install the Pegasus spyware on specific targets, security researchers from Google’s Project Zero have discovered an innovative new attack mechanism they’ve dubbed a “zero-click exploit,” that no mobile antivirus can foil. “Short of not using a device, there is no way to prevent exploitation by a ‘zero-click exploit;’ it’s a weapon against which there is no defense,” claimed Google Project Zero engineers Ian Beer & Samuel Groß in a blog post.
Frankenstein’s Monster
The Pegasus spyware is the brainchild of the NSO Group, an Israeli technology firm that has now been added to the US “Entity List,” which essentially blocklists it from the US market. “It’s not clear what a reasonable explanation of privacy is on a cell phone, where we often make highly personal calls in public places. But we certainly don’t expect someone to listen in on our phone, though that’s what Pegasus enables people to do,” explained Saryu Nayyar, CEO of cybersecurity company Gurucul, in an email to Lifewire. The Pegasus spyware came into the limelight in July 2021, when Amnesty International revealed that it was used to spy on journalists and human rights activists worldwide. This was followed by a revelation from researchers at Citizen Lab in August 2021, after they found evidence of surveillance on iPhone 12 Pro’s of nine Bahraini activists through an exploit that evaded the latest security protections in iOS 14 collectively known as BlastDoor. In fact, Apple has filed a lawsuit against the NSO Group, holding it accountable for circumventing iPhone security mechanisms to surveil Apple users via its Pegasus spyware. “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in the press release about the lawsuit. In the two-part Google Project Zero post, Beer and Groß explained how the NSO Group got the Pegasus spyware onto the iPhones of the targets using the zero-click attack mechanism, which they described as both incredible and terrifying. A zero-click exploit is exactly what it sounds like—the victims don’t need to click or tap anything to be compromised. Instead, simply viewing an email or message with the offending malware attached allows it to install on the device.
Impressive and Dangerous
According to the researchers, the attack begins through a nefarious message on the iMessage app. To help us break down the rather complex attack methodology devised by the hackers, Lifewire enlisted the help of independent security researcher Devanand Premkumar. Premkumar explained that iMessage has several in-built mechanisms to handle animated .gif files. One of these methods checks the specific file format using a library named ImageIO. The hackers used a ‘gif trick’ to exploit a weakness in the underlying support library, called CoreGraphics, to gain access to the target iPhone. “As end-users, we should always be cautious about opening messages from unknown or untrusted sources, no matter how enticing the subject or message be, as that is being used as the primary entry point into the mobile phone,” Premkumar advised Lifewire in an email. Premkumar added that the current attack mechanism is only known to work on iPhones as he ran through the steps Apple has taken to defang the current vulnerability. But while the current attack has been curtailed, the attack mechanism has opened Pandora’s box. “Zero-click exploits are not going to die anytime soon. There will be more and more of such zero-click exploits tested and deployed against high profile targets for the sensitive and valuable data which can be extracted from such exploited users’ mobile phones,” said Premkumar. Meanwhile, in addition to the lawsuit against NSO, Apple has decided to provide technical, threat intelligence, and engineering assistance to the Citizen Lab researchers pro-bono and has promised to offer the same assistance to other organizations doing critical work in this space. Additionally, the company has gone to the extent of contributing $10 million, as well as all the damages awarded from the lawsuit to support organizations involved in the advocacy and research of cyber-surveillance abuses.