Google releases its Pegasus hack analysis, here’s how iPhone security was compromised

Google's Project Zero, a team of security analysts focused on finding vulnerabilities in software that could be exploited by hackers, released its analysis on the ForcedEntry exploit.
The ForcedEntry exploit was made by the Israeli-based cyber arms firm NSO Group. NSO Group, known for its spyware, used ForcedEntry to exploit a vulnerability in Apple's iMessage platform and deploy its Pegasus spyware.

Project Zero used a sample of ForcedEntry provided by the University of Toronto's Citizen Lab, which was the first to discover NSO's exploit. In its deep dive into the exploit, Project Zero stated that ForcedEntry uses a zero-click attack, which means that for the hack to work, the victim doesn't need to click on a link or grant permission. The hack bypassed Apple's iOS zero-click defenses and, using Apple's iMessage, took over devices to install Pegasus, an NSO Group software used for spying.

ForcedEntry exploited the way iMessage accepted and interpreted files like GIFs to deceive the platform and make it open a malicious PDF file without any user involvement. The exploit utilized a weakness in an old compression technology designed to create compressed PDF files from scanning a document with a physical scanner. This same technology is still used by computers today.

ForcedEntry uses a script made of logical commands written directly into the masked PDF file. This enables it to establish and run the whole attack while hiding within iMessage, making it even more difficult to find. The fact that ForcedEntry uses such technology makes it unique because many similar attacks need to use the so-called command-and-control server to give instructions to the implanted malware.

About the ForcedEntry attack, Citizen Lab senior researcher John Scott-Railton stated, "This is on par with serious nation-state capabilities. Project Zero's technical deep dive is significant not just because it explicates the details of how ForcedEntry works but because it reveals how impressive and dangerous privately developed malware can be. "

In September, the University of Toronto's Citizen Lab reported that the Israeli-based NSO Group uses its ForcedEntry exploit to hack and install its Pegasus spyware on the phones of selected users. Pegasus was used to read messages, track calls and locations, and collect sensitive information from apps. The spyware could also access the phone's camera and microphone. After the report, Apple released a series of patches to contain the ForcedEntry attack and fix the vulnerability in iMessage.