Bill Marczak
Bill Marczak is a Senior Researcher at the University of Toronto's Citizen Lab where he investigates novel surveillance and censorship tools that threaten Internet freedom. Bill received his PhD in Computer Science from UC Berkeley. Some of Bill’s greatest hits include leading the first public report about NSO Group’s Pegasus spyware, and the capture of the ForcedEntry and BlastPass iOS zero-click exploits. Coverage of Bill's work has been featured in Vanity Fair, the New York Times, and on CNN and 60 Minutes.
Session
In mid-2024, we noticed an interesting upload to VirusTotal: an old sample of NSO Group’s Pegasus spyware designed for iOS 10. We quickly realized that the sample was calibrated to a specific victim device, and might contain an exploit. Through static analysis, we identified three ROP/JOP chains, and sketched a rough idea of the vulnerability. But without a match for the specific device, had to dig deeper to unlock all of the exploit’s secrets.
This talk will describe how we emulated enough of iOS 10 to load the vulnerable executables and their address spaces in a historically accurate manner, matching the victim’s hardware. We will describe our investigation, which revealed a heretofore un-published novel Pegasus persistence exploit from 2017. We will analyze the root-cause of the vulnerability, detail how the exploit leveraged it to gain code execution after boot, and explain how the vulnerability was (silently) mitigated.
We will also describe a curious case of code reuse we identified that raises interesting questions about exploit supply chains: we were able to establish that a second threat actor likely used the same persistence exploit in 2017. Furthermore, we identified a third threat actor that shared the same post-exploit code as the first two.