In a surprise turn of events, Google Project Zero security researcher Ian Beer took to social media platform 𝕏 (formerly Twitter) this week to share an in-depth write-up on the 0-click NSO BLASTPASS iMessage exploit that had actively been exploited in the wild before being patched by Apple in iOS & iPadOS 16.6.1 on September 7th, 2023.
At the time, the exploit was considered highly dangerous because of just how easy it was for an attacker to trigger against a victim. iPhones and iPads could have been compromised on the latest firmware (at the time) without any input from the device’s end user, all from the attacker sending the victim PassKit attachments that contained malicious images via iMessage.
The researcher’s blog post walks us through not only how the attack worked, but also Beer’s thought process as he attempted to reverse-engineer it. It’s quite the fascinating read, especially if security research is of any interest to you.
In the blog post, Beer says that while BLASTPASS shares similarities with the FORCEDENTRY 0-click iMessage exploit used by the NSO Group in Pegasus spyware, the two attacks work quite differently. In conclusion, he reaches the following deduction:
This is the second in-the-wild NSO exploit which relied on simply renaming a file extension to access a parser in an unexpected context which shouldn’t have been allowed.
FORCEDENTRY had a .gif which was really a .pdf.
BLASTPASS had a .png which was really a .webp.
A basic principle of sandboxing is treating all incoming attacker-controlled data as untrusted, and not simply trusting a file extension.
This speaks to a broader challenge in sandboxing: that current approaches based on process isolation can only take you so far. They increase the length of an exploit chain, but don’t necessarily reduce the size of the initial remote attack surface. Accurately mapping, then truly reducing the scope of that initial remote attack surface should be a top priority.
While the exploit spoken about in this piece has since been patched by Apple, similar attacks may continue to be fabricated long into the future as sandboxing is an imperfect science that can’t possibly defend against all attacks; rather, it just slows them down. Of course, that’s how all software security is today, as it’s an endless cat-and-mouse game between stalwart manufacturers and desperate hackers with opposing interests.
Do you think we’ll see another 0-click, 0-day attack like NSO’s BLASTPASS and FORCEDENTRY in the future? Discuss in the comments section down below.