An open iMessage vulnerability is currently still being used to stealthily install spyware from the NSO Group, according to the forensic report by Amnesty International. According to the technical analysis of the iOS version, the Pegasus spy software could be detected on iPhones between 2016 and today. Apple is already investigating the problem. The focus of the analysis was on iOS devices, because only a few forensic traces can be found on Android after a restart.
The NSO Group sells its surveillance software Pegasus to authorities, secret services and the military. But according to the research network “Forbidden Stories”, the software was not only used against criminals. The network fell into the hands of a data leak of 50,000 telephone numbers that were supposed to be monitored with the software of the NSO Group. It also contained numbers of journalists, human rights activists, executives, military personnel, prime ministers and heads of state.
The spyware was found on smartphones in France and Hungary, among others. According to the Amnesty report, the way in which the spy software is brought to smartphones has changed again and again over the past few years: formerly through SMS with links to websites, later through smuggled network packets until recently through iMessage messages in iOS version 14.6, it says in the Amnesty-Bericht.
“Bridgehead”: traces in logs
In the case of examined iOS devices, a process called “bh” (probably standing for “BridgeHead”) appeared in the logs in 2016 that was assigned to the Pegasus spyware. This could be found out by analyzing iTunes backups, which also contain log databases such as “DataUsage.sqlite”. Before BridgeHead should reload further spyware, the Apple CrashReport is always switched off by BridgeHead downloading the file com.apple.CrashReporter.plist in /private/var/root/Library/Preferences/ writes. The malicious code is said to have already obtained root permissions through a series of loopholes.
According to the information, traces of the BridgeHead process were also found in the log files after network traffic from other apps such as Apple Photos or Apple Music. It is not clear here whether the apps themselves are or were unsafe; or whether they serve as part of a chain of vulnerabilities to gain higher privileges on the device. The problem is still being investigated by Apple.
According to the report, the NSO Group also tried to cover up traces in logs, but was not thorough enough. You deleted entries in the table ZPROCESS, but not the corresponding places in the table ZLIVEUSAGE. In addition, they tried to make the evaluation more difficult with similar sounding process names.
Amnesty reports that an Indian journalist’s iPhone with iOS 14.6 was infected with Pegasus via iMessages. Accordingly, the processing of photos plays a central role in this 0-day. There are logs of over 40 GIFs on the devices, which were processed shortly before the malicious processes. This suggests further problems with the ImageIO framework that is responsible for displaying images. If you can do without iMessage, you would be well advised to deactivate it.
With iOS update 14.3, 14.4, 14.5 and 14.6, Apple closed at least one security hole in ImageIO each time, which enabled arbitrary code execution through specially generated images.
Signs of compromise
For years, Citizen Lab, a group of researchers from the University of Toronto, observed the domains of the surveillance company NSO Group. Most of the uncovered servers are said to be in Germany. This is followed by the United Kingdom, Switzerland, France and the USA. The NSO Group is said to have switched its infrastructure to Amazon CloudFront as a hosting provider only a few months ago, the infrastructure has meanwhile been cut. In order to search for indications of a compromise itself, Amnesty lists all known domains, e-mail addresses and file names of the NSO Group in einem Github Repository on.
In addition, that helps Mobile Verification Toolkit find traces of infection on smartphones. This Python tool can be used to extract logs on Android and iOS devices. Since Android contains only a few usable logs after a restart, Amnesty had focused on iOS, which says nothing about the security of Android devices.