A new NSO zero-click attack evades Apple’s iPhone security protections, says Citizen Lab

Bahraini human rights activists were hacked with NSO's Pegasus spyware

A Bahraini human rights activist’s iPhone was silently hacked earlier this year by a powerful spyware sold to nation-states, defeating new security protections that Apple designed to withstand covert compromises, say researchers at Citizen Lab.

The activist, who remains in Bahrain and asked not to be named, is a member of the Bahrain Center for Human Rights, an award-winning nonprofit organization that promotes human rights in the Gulf state. The group continues to operate despite a ban imposed by the kingdom in 2004 following the arrest of its director for criticizing the country’s then-prime minister.

Citizen Lab, the internet watchdog based at the University of Toronto, analyzed the activist’s iPhone 12 Pro and found evidence that it was hacked starting in February using a so-called “zero-click” attack, since it does not require any user interaction to infect a victim’s device. The zero-click attack took advantage of a previously unknown security vulnerability in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone.

The hack is significant, not least because Citizen Lab researchers said it found evidence that the zero-click attack successfully exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the hacks also circumvent a new software security feature built into all versions of iOS 14, dubbed BlastDoor, which is supposed to prevent these kinds of device hacks by filtering malicious data sent over iMessage.

Because of its ability to circumvent BlastDoor, the researchers called this latest exploit ForcedEntry.

Citizen Lab’s Bill Marczak told TechCrunch that the researchers made Apple aware of the efforts to target and exploit up-to-date iPhones. When reached by TechCrunch, Apple would not explicitly say if it had found and fixed the vulnerability that NSO is exploiting.

In a boilerplate statement re-released Tuesday, Apple’s head of security engineering and architecture Ivan Krstic said: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Read more on TechCrunch

A spokesperson for Apple said BlastDoor was not the end of its efforts to secure iMessage and that it has strengthened its defenses in iOS 15, which is slated for release in the next month or so.

Citizen Lab said the Bahraini government was likely behind the targeting of the Bahraini human rights activist, as well as eight other Bahraini activists between June 2020 and February 2021.

Bahrain is one of several authoritarian states known to be government customers of Pegasus, including Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing nondisclosure agreements.

Five of the targeted Bahrainis’ phone numbers were found on the Pegasus Project list of 50,000 phone numbers of potential surveillance targets of the Pegasus spyware, which gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and location.

One of those listed phone numbers belongs to another member of the Bahrain Center for Human Rights, which Citizen Lab said was targeted months earlier and with a different zero-click exploit, called Kismet, which predates ForcedEntry. Citizen Lab says Kismet no longer works on iOS 14 and later since BlastDoor was introduced, but still poses a risk to devices running older iPhone versions.

Two other Bahrainis, who now live in exile in London and consented to be named, also had their iPhones hacked.

Moosa Abd-Ali, a photojournalist who was previously targeted by FinFisher spyware sold to the Bahraini government, had his iPhone hacked while living in London. Citizen Lab said it has only seen the Bahraini government spy in Bahrain and in neighboring Qatar, and said it suspects that another foreign government with access to Pegasus may have been responsible for the hack. Recent reporting found the United Arab Emirates, a close ally of Bahrain, is the “principal government” for selecting phone numbers in the U.K. Abd-Ali’s phone number was also on the list of 50,000 phone numbers.

Bahraini activist Yusuf Al-Jamri also had his iPhone hacked, believed by the Bahraini government, some time before September 2019, though it is not known if Al-Jamri’s iPhone was hacked while in Bahrain or in London. Al-Jamri was granted asylum in the U.K. in 2017.

The seven unnamed Bahrainis continue to work in the kingdom despite a long history of human rights violations, internet censorship and widespread oppression. Reporters Without Borders ranks Bahrain’s human rights record as one of the most restrictive in the world, ranked only behind Iran, China and North Korea. A 2020 report by the U.S. State Department on Bahrain’s human rights said the country cited considerable violations and abuses, and noted that the government “used computer programs to surveil political activists and members of the opposition inside and outside the country.”

When reached, NSO Group did not answer specific questions nor would it say if the Bahraini government was a customer. In a statement attributed only as an NSO spokesperson sent via its external public relations firm Mercury, NSO said that it had not seen Citizen Lab’s findings and that it would investigate if it receives “reliable information related to misuse of the system.”

NSO recently claimed it cut off five government customers’ access to Pegasus for human rights abuses.

Zainab Al-Nasheet, a spokesperson for the Bahraini government, told TechCrunch in a statement: “These claims are based on unfounded allegations and misguided conclusions. The government of Bahrain is committed to safeguarding the individuals’ rights and freedoms.”

Abd-Ali, who said he was arrested and tortured in Bahrain, said that he thought he would find safety in the U.K. but that he still encounters digital surveillance but also physical attacks, as many victims of spyware experience.

“Instead of protecting me, the U.K. government has stayed silent while three of their close allies — Israel, Bahrain and the UAE — conspired to invade the privacy of myself and dozens of other activists,” he said.


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.