NSO Zero-Click Attack Bypasses iPhone Security

iPhone Hack Targets Bahraini Activist

A human rights advocate from Bahrain experienced a silent hack of their iPhone earlier this year. This breach utilized sophisticated spyware, sold to various nation-states, and bypassed newly implemented security measures created by Apple to prevent such covert intrusions, according to research conducted by Citizen Lab.

Activist Profile and Organizational Context

The activist, whose identity is being withheld for safety reasons, is affiliated with the Bahrain Center for Human Rights. This award-winning nonprofit organization champions human rights within the Gulf state. Despite facing a ban imposed by the kingdom in 2004—following the arrest of its director for criticizing the then-prime minister—the group continues its operations.

Details of the Zero-Click Attack

Citizen Lab, an internet watchdog organization based at the University of Toronto, analyzed the activist’s iPhone 12 Pro. Their investigation revealed evidence of a hack initiated in February. This attack employed a “zero-click” method, meaning no user interaction was required to compromise the device.

The exploit leveraged a previously unknown security flaw within Apple’s iMessage system. This vulnerability was used to deliver Pegasus spyware, developed by the Israeli firm NSO Group, directly to the activist’s phone.

Significance of Circumventing iOS Security

This hack is particularly noteworthy because Citizen Lab’s findings indicate the zero-click attack successfully targeted the latest iPhone software available at the time. Specifically, both iOS 14.4 and the subsequent iOS 14.6 release, which Apple launched in May, were vulnerable.

Furthermore, the attack circumvented BlastDoor, a new security feature integrated into all versions of iOS 14. This feature was designed to filter malicious data transmitted via iMessage and prevent such device compromises.

ForcedEntry Exploit

Due to its ability to bypass BlastDoor, the researchers have designated this latest exploit as ForcedEntry.

Apple’s Response

Bill Marczak of Citizen Lab confirmed that Apple was informed about the attempts to exploit up-to-date iPhones. However, when contacted by TechCrunch, Apple refrained from explicitly confirming whether the vulnerability exploited by NSO Group had been identified and addressed.

Ivan Krstic, Apple’s head of security engineering and architecture, issued a standard statement reiterating the company’s condemnation of cyberattacks targeting journalists, activists, and those working for positive change. He acknowledged the sophistication and targeted nature of these attacks.

Future Security Enhancements

An Apple spokesperson indicated that BlastDoor was not the culmination of their security efforts for iMessage. They also stated that defenses have been further strengthened in iOS 15, which is expected to be released soon.

Alleged Government Involvement

Citizen Lab suggests the Bahraini government was likely responsible for targeting the Bahraini human rights activist. They also identified similar targeting of eight other Bahraini activists between June 2020 and February 2021.

Pegasus Customers and Surveillance

Bahrain is among several authoritarian governments known to be customers of Pegasus, including Saudi Arabia, Rwanda, the United Arab Emirates, and Mexico. NSO Group consistently declines to disclose its customer list, citing nondisclosure agreements.

Phone numbers associated with five of the targeted Bahrainis were found on a list of 50,000 potential surveillance targets linked to the Pegasus spyware. This spyware grants its users near-complete access to a target’s device, including personal data, photos, messages, and location.

Previous Exploits and Exile

Another member of the Bahrain Center for Human Rights was targeted months prior, using a different zero-click exploit called Kismet. Citizen Lab notes that Kismet is no longer effective on iOS 14 and later due to BlastDoor, but remains a threat to older iPhone versions.

Two other Bahrainis, currently residing in exile in London, also experienced hacks on their iPhones.

Targeting in London

Moosa Abd-Ali, a photojournalist previously targeted by FinFisher spyware sold to the Bahraini government, had his iPhone compromised while living in London. Citizen Lab believes the Bahraini government’s spying activities are limited to Bahrain and neighboring Qatar, suggesting another government with access to Pegasus may be responsible for this particular hack.

The United Arab Emirates, a close ally of Bahrain, has been identified as the “principal government” selecting phone numbers in the U.K., and Abd-Ali’s number was also on the list of 50,000.

Additional Activist Targeted

Yusuf Al-Jamri, a Bahraini activist, also had his iPhone hacked, believed to be by the Bahraini government, prior to September 2019. It remains unclear whether the hack occurred while Al-Jamri was in Bahrain or London. He was granted asylum in the U.K. in 2017.

Human Rights Concerns

The seven unnamed Bahrainis continue their work within the kingdom, despite a history of human rights violations, internet censorship, and widespread oppression. Reporters Without Borders ranks Bahrain’s human rights record among the most restrictive globally, behind only Iran, China, and North Korea.

A 2020 U.S. State Department report on Bahrain’s human rights cited considerable violations and abuses, noting the government’s use of surveillance programs to monitor political activists and opposition members both domestically and abroad.

NSO Group’s Response

NSO Group declined to answer specific questions or confirm whether the Bahraini government is a customer. In a statement released through its public relations firm, Mercury, NSO Group stated it had not reviewed Citizen Lab’s findings but would investigate any credible reports of system misuse.

NSO Group recently claimed to have terminated access to Pegasus for five government customers due to human rights concerns.

Bahraini Government’s Denial

Zainab Al-Nasheet, a spokesperson for the Bahraini government, dismissed the claims as based on unfounded allegations and misguided conclusions. She affirmed the government’s commitment to safeguarding individual rights and freedoms.

Activist’s Concerns

Abd-Ali, who experienced arrest and torture in Bahrain, expressed his disappointment at not finding safety in the U.K. He reported ongoing digital surveillance and even physical attacks, experiences common among spyware victims.

“Instead of protecting me, the U.K. government has stayed silent while three of their close allies — Israel, Bahrain and the UAE — conspired to invade the privacy of myself and dozens of other activists,” he stated.

You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.