Researchers call NSO zero-click iPhone exploit 'incredible and terrifying'

Apple has sued the group over the 'nation state' level iMessage attack.

Sponsored Links

An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, on August 28, 2016, in Herzliya, near Tel Aviv. - Apple iPhone owners, earlier in the week, were urged to install a quickly released security update after a sophisticated attack on an Emirati dissident exposed vulnerabilities targeted by cyber arms dealers.
Lookout and Citizen Lab worked with Apple on an iOS patch to defend against what was called "Trident" because of its triad of attack methods, the researchers said in a joint blog post.
Trident is used in spyware referred to as Pegasus, which a Citizen Lab investigation showed was made by an Israel-based organization called NSO Group. (Photo by JACK GUEZ / AFP) (Photo by JACK GUEZ/AFP via Getty Images)
JACK GUEZ via Getty Images

Google researchers have described NSO Group's zero-click exploit used to hack Apple devices as "incredible and terrifying," Wired has reported. Project Zero researchers called it "one of the most technically sophisticated exploits we've ever seen" that's on par with attacks from elite nation-state spies. 

The Project Zero team said it obtained one of NSO's Pegasus exploits from Citizen Lab, which managed to capture it via a targeted Saudi activist. It also worked with Apple's Security Engineering and Architecture (SEAR) group on the technical analysis.

NSO's original exploit required the user to click on a link, but the latest, most sophisticated exploits require no click at all. Called ForcedEntry, it takes advantage of the way iMessage interprets files like GIFs to open a malicious PDF file with no action required from the victim. It does so by using old code from the 1990s used to process text in scanner images.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Once inside a device, the malware can set up its own virtualized environment and run javascript-like code, with no need to connect to an outside server. From there, it gives an attacker access to a victim's passwords, microphone, audio and more. The exploit is extremely hard to detect and is "a weapon against which there is no defense," Project Zero researchers said.

Apple recently filed a lawsuit against the group to "hold it accountable" for governments using it to spy on iOS users. Apple alleged that targets are often activists, journalists and other critics of regimes that routinely suppress political dissent. It also accused NSO of "flagrant violations" of federal- and state-level laws in the US. Last month, the US Department of Commerce added NSO Group to its "entity list", essentially banning it for use in the US.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
Researchers call NSO zero-click iPhone exploit 'incredible and terrifying'