What you need to know
- 9 Bahraini activists were reportedly targeted by their government using Pegasus spyware.
- A zero-click iPhone exploit was used to target the group between June 2020 and February 2021.
- At least one activist was in London when they were targeted, but a different government might have been behind this.
A new Citizen Lab report says that nine Bahraini activists had their iPhones successfully hacked by their own government using NSO's Pegasus spyware using a zero-click exploit.
Research released today states:
We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group's Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.
Worryingly, this exploit appears to be effective against both iOS 14.4 and iOS 14.6 as zero-day exploits, the also seem to bypass a recently-added iOS security feature:
NSO Group may have temporarily switched back to one-click iOS exploits due to the new BlastDoor security feature implemented by Apple. The BlastDoor feature was designed to make zero-click exploitation via iMessage harder.
CL says FORCEDENTRY can circumvent BlastDoor. The company confirmed to the group that it was investigating the use of FORCEDENTRY on iOS 14.4 and iOS 14.6 using the crash and phone logs of some of the targets.
CL says activists "included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society)." According to the report two of the hacked activists now live in London, and one was in London at the time their iPhone was breached, however, this may indicate a different government was behind the hit:
In our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar; never in Europe. Thus, the Bahraini activist in London may have been hacked by a Pegasus operator associated with a different government.
Citizen Lab says that five of the hacked devices matched the numbers on a list of potential targets of NSO's Pegasus Spyware customers that came to light earlier this year. From that report:
According to a report by multiple news outlets as well as Amnesty International's Security Lab, commercial hacking spyware Pegasus has been found to infect thousands of devices. The report is based on a list of 50,000 phone numbers that were thought to be of interest to clients of NSO. When security experts inspected some of the devices attached to those numbers, they found infections galore.
Citizen Lab says that the government of Bahrain "appears to have purchased NSO Group's Pegasus spyware in 2017." The extensive report details Bahrain's history of state surveillance and censorship, concluding:
While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain's serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group.
NSO Group has previously stated it is not responsible for the actions of its customers, and that it can and will withdraw access to its products if it finds the technology is being misused. Unconfirmed speculation indicates Apple may have patched the exploit used by Pegasus in a recent version of iOS 14.
