By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: December 21, 2021

Tuesday, 21 December 2021

Project Zero: A Deep Dive Into an N.S.O. Zero-Click iMessage Exploit ★

Ian Beer and Samuel Groß of Google Project Zero:

Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

I won’t claim to understand all of this — pointer programming was never my forte — but the overall explanation here is very cogent, and easy to follow. Basically, NSO Group’s exploit involved sending an iMessage-using target a PDF file with a .gif file name extension. The PDF file contained an image in the semi-obscure JBIG2 format, a black-and-white format created for fax machines in the late 1990s. Apple’s image-processing code for JBIG2 streams had a buffer overflow bug. Then it gets a little eye-popping:

JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.

The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.

‘The Secret Uganda Deal That Has Brought N.S.O. to the Brink of Collapse’ ★

Mehul Srivastava, reporting for The Financial Times:

In February 2019, an Israeli woman sat across from the son of Uganda’s president and made an audacious pitch — would he want to secretly hack any phone in the world? [...]

A few months after the initial approach, NSO’s chief executive, Shalev Hulio, landed in Uganda to seal the deal, according to two people familiar with NSO’s East Africa business. Hulio, who flew the world with the permission of the Israeli government to sell Pegasus, liked to demonstrate in real time how it could hack a brand-new, boxed iPhone. [...]

After spending a decade in the favor of the Israeli government, NSO now finds itself as an irritant in relations between Israel and the US, using up vital foreign “policy bandwidth we need to talk about Iran,” said a foreign ministry official who asked for anonymity.

That is a reversal for NSO, which former Prime Minister Benjamin Netanyahu used as a diplomatic calling card with several countries, including the UAE, Morocco, Bahrain, and Saudi Arabia, which did not have official relations with Israel.

Using this system as a “diplomatic calling card” — with that list of countries — is outrageous. Downright dystopian.

Terrific reporting from the Financial Times here, including more circumstantial evidence that it was Apple who tipped off the State Department about these hacked phones in Uganda. Remarkably detailed for an operation that, quite obviously, was intended to be clandestine.