Case Study 30.2: NSO Group's Pegasus — Zero-Click Mobile Exploitation

The Most Sophisticated Mobile Spyware Ever Discovered

Background

NSO Group Technologies, an Israeli cyber-intelligence company founded in 2010, developed Pegasus — a mobile surveillance platform that represents the most sophisticated commercial spyware ever publicly documented. Pegasus could silently compromise both iOS and Android devices, extract virtually all data from the device (messages, emails, photos, location history, call records, passwords, and even encrypt end-to-end messaging apps like Signal and WhatsApp), activate the microphone and camera, and transmit the data to the operator — all without the target's knowledge.

What made Pegasus uniquely dangerous was its use of "zero-click" exploits — attack chains that required no user interaction whatsoever. Unlike traditional mobile malware that requires the target to click a malicious link or install a compromised app, Pegasus could compromise a device simply by sending a specially crafted iMessage, WhatsApp call, or other data to the target's phone number. The target did not need to answer a call, click a link, or take any action. The mere receipt of the data was sufficient for compromise.

The Technical Evolution of Pegasus

Phase 1: One-Click Exploitation (2016). The first public exposure of Pegasus came in August 2016 when Ahmed Mansoor, a UAE human rights activist, received suspicious SMS messages containing links. Rather than clicking, Mansoor forwarded them to Citizen Lab at the University of Toronto. Citizen Lab's analysis, in collaboration with Lookout Security, revealed a chain of three iOS zero-day vulnerabilities:

• CVE-2016-4655: A kernel information disclosure vulnerability in Safari's WebKit, allowing an attacker to determine the kernel's base address in memory (defeating KASLR).
• CVE-2016-4656: A kernel memory corruption vulnerability enabling privilege escalation from the browser sandbox to kernel-level code execution.
• CVE-2016-4657: A Safari WebKit vulnerability enabling initial code execution when visiting a malicious webpage.

Together, these three zero-days formed a complete exploit chain: visit a link (CVE-2016-4657), escape the sandbox (CVE-2016-4655), gain kernel access (CVE-2016-4656), and install persistent spyware. Apple patched all three vulnerabilities within ten days of notification.

Phase 2: WhatsApp Zero-Click (2019). In May 2019, WhatsApp disclosed that Pegasus had been deployed through a vulnerability in WhatsApp's VoIP calling functionality (CVE-2019-3568). The attack required only that the attacker call the target's phone via WhatsApp — the target did not need to answer. The exploit triggered a buffer overflow in WhatsApp's SRTP (Secure Real-Time Transport Protocol) implementation, enabling code execution on the device.

WhatsApp and its parent company Meta filed a lawsuit against NSO Group, arguing that the exploitation of 1,400 WhatsApp users' devices constituted a violation of the Computer Fraud and Abuse Act (CFAA) and WhatsApp's Terms of Service. A federal court ruled in December 2024 that NSO Group was liable for the hacking.

Phase 3: iMessage Zero-Click — FORCEDENTRY (2021). The most technically sophisticated Pegasus deployment used a zero-click exploit chain targeting Apple's iMessage, discovered by Citizen Lab and analyzed in detail by Google's Project Zero. Dubbed FORCEDENTRY, this exploit chain was remarkable for several reasons:

1. PDF Rendering Exploit. The attack began with a specially crafted PDF file disguised as a GIF, sent via iMessage. iOS automatically rendered the file, triggering the exploit without user interaction.

2. JBIG2 Decoder Vulnerability. The PDF exploited a vulnerability in Apple's CoreGraphics library, specifically in its JBIG2 (Joint Bi-level Image Experts Group) decoder. JBIG2 is a compression standard for bi-level images. NSO's exploit used JBIG2's arithmetic coding feature to construct a virtual computer architecture — essentially building a tiny computer inside the JBIG2 decoder that could execute arbitrary computation.

3. Turing-Complete Computation in JBIG2. Google Project Zero researcher Samuel Grosse described it as "one of the most technically sophisticated exploits we've ever seen." The exploit constructed logical operators (AND, OR, XOR, NOT) from JBIG2 segment operations and used them to build an addition circuit, a comparator, and ultimately a small computer that could search memory, perform calculations, and construct the next stage of the exploit — all within the constraints of a JBIG2 decoder.

4. Sandbox Escape and Privilege Escalation. After achieving code execution via the JBIG2 exploit, additional exploits escaped the iMessage sandbox and gained kernel privileges, enabling full spyware installation.

Apple patched the vulnerability (CVE-2021-30860) in September 2021 and subsequently introduced BlastDoor, a sandboxed processing environment for iMessage content designed to contain exploits, and Lockdown Mode, an extreme protection feature that dramatically reduces the attack surface for high-risk individuals.

Targets and Deployment

Investigations by Citizen Lab, Amnesty International, Forbidden Stories, and a consortium of international journalists revealed that Pegasus was used to target:

• Journalists. Including reporters at the New York Times, Wall Street Journal, Financial Times, Al Jazeera, and Le Monde. Jamal Khashoggi's associates were reportedly targeted both before and after his murder in the Saudi consulate in Istanbul.

• Human Rights Activists. Including Ahmed Mansoor (UAE), members of the Bahraini Human Rights Center, and activists in Mexico, India, and across the Middle East.

• Political Figures. Including French President Emmanuel Macron (whose number appeared on a leaked list), opposition politicians in various countries, and government officials.

• Lawyers and Academics. Including individuals involved in cases against authoritarian governments.

NSO Group maintained that Pegasus was sold only to vetted government agencies for legitimate law enforcement and counter-terrorism purposes. However, investigations revealed its use against civil society targets in multiple countries, contradicting these claims.

Technical Implications for Mobile Security

Zero-Click Exploits Redefine Mobile Threat Models. Traditional mobile security advice — "don't click suspicious links," "don't install apps from unknown sources," "verify app permissions" — is irrelevant against zero-click exploits. The target's only "action" is having a phone number or iMessage account. This fundamentally changes how we model mobile threats.

Messaging App Attack Surface. iMessage, WhatsApp, and other messaging platforms automatically process incoming data (images, videos, audio, PDFs) to generate previews and notifications. This automatic processing creates an attack surface that the user cannot control. Every file format parser, codec, and renderer in the messaging pipeline is a potential entry point.

Exploit Cost and Rarity. Zero-click iOS exploit chains are extremely valuable — reportedly worth $2-10 million on the exploit market. This means they are primarily used by nation-state actors or well-funded organizations, not by common cybercriminals. However, once a zero-click technique is burned (discovered and patched), the attacker must develop or acquire new exploits, creating an ongoing arms race.

Forensic Detection Challenges. Pegasus was designed to be forensically stealthy. It operated primarily in memory, minimized disk writes, and could self-destruct if it detected forensic analysis. Amnesty International's Mobile Verification Toolkit (MVT) was developed to detect indicators of Pegasus compromise, but detection is difficult and retroactive — the spyware may have already exfiltrated data before detection.

Defensive Measures and Their Limitations

Apple Lockdown Mode. Introduced in iOS 16, Lockdown Mode significantly reduces the attack surface by: - Blocking most message attachment types - Disabling link previews - Blocking incoming FaceTime calls from unknown contacts - Disabling Just-in-Time (JIT) JavaScript compilation in Safari - Removing shared albums from Photos - Blocking MDM profile installation - Blocking wired connections to computers when locked

While Lockdown Mode is highly effective, it significantly impacts usability, making it suitable only for high-risk individuals.

Network-Level Detection. Organizations can monitor network traffic for connections to known Pegasus infrastructure. However, NSO Group frequently rotated infrastructure, used multiple layers of proxy servers, and mimicked legitimate traffic patterns.

Mobile Verification Toolkit (MVT). Amnesty International's MVT can analyze iOS backups and Android device data for known Pegasus indicators of compromise. It checks for suspicious processes, network connections, and artifact patterns. However, MVT is retroactive and may not detect newer variants.

Regular Updates. Keeping devices updated is the single most effective defense. Each Pegasus exploit chain targeted specific vulnerabilities that were eventually patched. However, there is always a window between exploit development and patch deployment during which targets are vulnerable.

Relevance to MedSecure's Mobile App

MedSecure's mobile app handles PHI (Protected Health Information) and communicates with IoT medical devices. While MedSecure is unlikely to be targeted by nation-state zero-click exploits, the Pegasus case has several relevant implications:

1. Attack surface awareness. MedSecure's app should minimize automatic processing of incoming data. Push notifications, in-app messaging, and file sharing features should be reviewed for parsing vulnerabilities.

2. Defense in depth. Client-side security controls (certificate pinning, root detection, encryption) can be bypassed by a sufficiently sophisticated attacker. Server-side controls, anomaly detection, and data minimization remain essential.

3. Forensic readiness. MedSecure should have procedures for investigating potential mobile device compromise, including integration with MDM solutions that can detect jailbreaking or anomalous behavior.

4. Data minimization. The app should store the minimum amount of PHI on the device. Even with encryption, a device-level compromise (as Pegasus demonstrates) can access decrypted data in memory.

Discussion Questions

1. NSO Group argued that Pegasus was a legitimate law enforcement tool comparable to wiretapping technology. How should the international community regulate commercial spyware? What controls, if any, would prevent misuse while preserving legitimate law enforcement capabilities?

2. The FORCEDENTRY exploit used JBIG2 arithmetic coding to build a virtual computer inside an image decoder. What does this tell us about the difficulty of securing complex file format parsers? How should mobile platform vendors approach the security of automatic content rendering?

3. Apple's Lockdown Mode significantly reduces functionality to increase security. Is this trade-off appropriate for a general consumer feature? How should mobile platforms balance security and usability?

4. If you discovered evidence of Pegasus on a device during a routine mobile security assessment for a healthcare organization, what would your legal and ethical obligations be? How would HIPAA's breach notification requirements apply?

5. Zero-click exploits fundamentally undermine the user's ability to protect themselves through behavior. How does this affect the ethical framework for holding individuals responsible for device security in a corporate context?

Timeline

References

• Citizen Lab. "The Million Dollar Dissident: NSO Group's iPhone Zero-Days Used Against a UAE Human Rights Defender." August 2016.
• Google Project Zero. "A Deep Dive Into an NSO Zero-Click iMessage Exploit: Remote Code Execution." December 2021.
• Amnesty International. "Forensic Methodology Report: How to Catch NSO Group's Pegasus." July 2021.
• Forbidden Stories and Amnesty International. "The Pegasus Project." July 2021.
• Marczak, Bill, et al. "FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild." Citizen Lab, September 2021.
• Apple Security. "About the Security Content of iOS 14.8." September 2021.
• WhatsApp Inc. v. NSO Group Technologies Ltd. Northern District of California, Case No. 19-cv-07123.