How to Hack an iPhone via PNG
The hack occurred without any user involvement—the infected message simply arrived in iMessage, and the device came under control. The target was an employee of a U.S. human rights organization. The attack worked even on the then-latest version of iOS—16.6.
The key element of the attack was a PKPass file, typically used for tickets and passes. Inside it was an image disguised as an ordinary .png, but in reality, it was in WebP format. This substitution allowed the system’s security to be bypassed. A similar tactic had been used before—in 2021, another NSO exploit also disguised a file with dangerous content as a harmless image.
The vulnerability in WebP allowed data to be written beyond the allocated memory during image unpacking. The error occurred due to improper handling of Huffman tables—special structures used for compression. However, the error did not grant complete freedom: the writing took place in a strictly defined location and with limited values. As a result, hackers found a way to prepare the device’s memory in a specific manner to gain control over the system.
For this purpose, a second file inside the PKPass was used—an image named background.png, which was actually in TIFF format. It contained a small but crucial forgery—an object of type CFArray, crafted to overlap the necessary section of memory. Then, a massive 1-megabyte block of data in bplist format was employed to prepare the memory for the hack.
Within this block was a fake CFReadStream object. When the system removed the object from memory, it triggered a specific function—at that moment, the malicious code began to execute. Interestingly, bypassing Pointer Authentication (PAC) protection, which should have thwarted such actions, was unnecessary. Instead, the attackers exploited the fact that the pointer to the function’s structure was unprotected—they simply replaced it with an already existing pointer.
To circumvent ASLR, which hides real memory addresses, the attackers already knew the necessary values in advance. This was likely achieved through a separate vulnerability in the HomeKit system, which was exploited prior to the main hack.
The final stage involved launching NSExpression, a special code format in Apple’s system. The code was encrypted, and to decrypt it, the exploit waited for another message from the attacker containing the required key. Only then did the main malicious code execute—most likely to break out of the BlastDoor sandbox and gain full access.
This approach proved to be extremely complex and multi-staged. Nevertheless, it employed well-known techniques: file masquerading, precise memory preparation, and function replacement. Experts believe that Apple should tighten the requirements for bplist structures and disallow duplicate keys or overly large objects. It is also crucial to abandon trust in file extensions—this is the second time a hack has occurred precisely because of them.
