Digital threat researchers at Citizen Lab have uncovered a new zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware on devices belonging to Bahraini activists.
In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, Al Wefaq) had their iPhones hacked in a campaign partially orchestrated by a Pegasus operator linked with high confidence to the government of Bahrain by Citizen Lab.
The spyware was deployed on their devices after being compromised using two zero-click iMessage exploits (that do not require user interaction): the 2020 KISMET exploit and a new never-before-seen exploit dubbed FORCEDENTRY (previously tracked by Amnesty Tech as Megalodon).
New iPhone zero-click exploit in use since February 2021
NSO Group attacks using the new iMessage zero-click (which circumvents the iOS BlastDoor feature designed to block such exploits) were first spotted in February 2021.
“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said.
“With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.”
While protecting against the iMessage exploits would only require disabling iMessage and FaceTime, NSO Group has also used exploits targeting other messaging apps, including WhatsApp.
Furthermore, disabling iMessage will lead to other issues, including sending unencrypted messages that a resourceful threat actor could easily intercept.
Unfortunately, until Apple issues security updates to address the flaws targeted by NSO Group’s FORCEDENTRY exploit, the only thing potential targets could do to protect themselves is to disable all apps the Israeli surveillance firm could potentially target.
NSO Group’s Pegasus used in high-profile attacks
The attacks revealed by Citizen Lab in today’s report are part of just one of a long string of reports and papers documenting NSO Group’s Pegasus spyware used to spy on journalists and human rights defenders (HRDs) worldwide.
Pegasus, a spyware tool developed by Israeli surveillance firm NSO Group, is marketed as surveillance software “licensed to legitimate government agencies for the sole purpose of investigating crime and terror.”
Two years ago, Facebook sued Israeli cyber-surveillance firm NSO Group for creating and selling a WhatsApp zero-day exploit used to infect the devices of high-profile targets such as government officials, diplomats, and journalists with spyware.
Citizen Lab revealed in 2018 that they discovered some Pegasus licensees using it for cross-border surveillance in countries with state security services that had a history of abusive behavior.
Last but not least, Human rights non-governmental organization Amnesty International and non-profit project Forbidden Stories revealed in a separate July report that NSO Group-made spyware was deployed on iPhones running Apple’s latest iOS release using zero-click iMessage exploits targeting multiple iOS zero-days.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.
— Bill Marczak (@billmarczak) July 18, 2021
Citizen Lab independently observed Pegasus deployed on an iPhone 12 Pro Max running iOS 14.6 (the OS’s latest release), hacked using a zero-day zero-click iMessage exploit, which did not require interaction from the targets.
“The mechanics of the zero-click exploit for iOS 14.x appear to be substantially different than the KISMET exploit for iOS 13.5.1 and iOS 13.7, suggesting that it is in fact a different zero-click iMessage exploit,” Citizen Lab said at the time.
“These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,” Amnesty International and Forbidden Stories added.
An Apple spokesperson was not available for comment when contacted by BleepingComputer earlier today.