A new NSO zero-click attack evades Apple’s iPhone security protections, says Citizen Lab – TechCrunch

Citizen Lab researchers say that a powerful spyware was sold to nations to hack the iPhone of a Bahraini human rights activist. This defeats new security protections Apple has designed to resist covert compromises.
The Bahrain Center for Human Rights is an award-winning non-profit organization that promotes human right in the Gulf. The activist remains in Bahrain, but he did not want to be identified. Despite a ban by the kingdom in 2004, following the arrest of its director, for criticizing the country's former prime minister, the group continues to operate.

Citizen Lab, an internet watchdog based in Toronto, examined the iPhone 12 Pro of the activists and found evidence of a hacking attempt. This attack does not require user interaction and can infect any victim's device. Zero-click attacks exploited an Apple security flaw in iMessage that was not known before. This vulnerability was used to push the Pegasus spyware from Israeli company NSO Group to the activists' phone.

This hack is significant because Citizen Lab researchers found evidence that the zero click attack was successful on the most recent iPhone software, iOS 14.4, and later iOS 14.6, which Apple released back in May. The hacks also bypass a new security feature in iOS 14 called BlastDoor. This is supposed to protect against these types of hacks by filtering out malicious data sent over iMessage.

ForcedEntry was the latest exploit discovered by researchers because it can bypass BlastDoor.

TechCrunch was informed by Bill Marczak from Citizen Labs that Apple was made aware by the researchers of their efforts to exploit the latest iPhones. TechCrunch reached Apple and it refused to say whether the vulnerability was fixed.

Apple's head of security engineering, architecture, Ivan Krstic, stated Tuesday that he strongly condemned cyberattacks against journalists and human rights activists. Attacks such as the one described cost millions to create, have a short shelf-life, and can be used to target individuals. They are not considered a threat by the vast majority of our users. However, we continue to fight for all our customers and are constantly improving our protections for their data and devices.

Apple spokesperson said that BlastDoor was not Apple's final attempt to secure iMessage. Instead, it has strengthened its defenses with iOS 15, which is due for release in the coming month.

Citizen Lab stated that the Bahraini government was responsible for the targeting of the Bahraini human right activist as well as eight other Bahraini activists, between June 2020 to February 2021.

Bahrain is among several authoritarian countries that Pegasus has been known to have as customers.

Five of the target Bahrainis phone numbers were discovered on the Pegasus Project List of 50,000 potential surveillance targets of Pegasus spyware. This list gives government customers almost-complete access, including personal data and messages, to the targets device.

Citizen Lab claims that one of those phone numbers belonged to another member from the Bahrain Center for Human Rights. Citizen Lab claimed that Kismet was used in a zero-click attack against them months before ForcedEntry. Citizen Lab claims Kismet is no longer compatible with iOS 14 or later, but it still poses a threat to older iPhone models.

Two other Bahrainis now living in exile in London, and who consented not to be named, had their iPhones hacked.

Moosa Abd Ali, a photojournalist, was previously targeted by FinFisher spyware that was sold to the Bahraini government. His iPhone was hacked while he was living in London. Citizen Lab claimed it had only seen the spying in Bahrain by the Bahraini government and in Qatar. It also said that it believes another foreign government may have been behind the hack. Recent reports have revealed that the United Arab Emirates is a close ally to Bahrain and the main government responsible for choosing phone numbers in the U.K. Abd-Alis' phone number was also included on the list with 50,000 numbers.

Yusuf Al-Jamri, a Bahraini activist, had his iPhone hacked. This was believed to have happened before September 2019. However, it is not known whether Al-Jamris iPhone were hacked while in Bahrain, the UAE or before he was granted asylum in Britain in 2017.

Despite a long history filled with human rights violations, internetcensorship and oppression, the seven unnamed Bahrainis are still working in the country. Reporters Without Borders ranks Bahrain's human rights record third in the world behind China, North Korea, and Iran. The 2020 U.S. State Department report on Bahrain's human rights stated that there were many violations and abuses and that computer programs were used by the government to monitor political activists and those outside the country.

NSO Group refused to answer any questions or say whether the Bahraini government was a client when NSO Group was reached. NSO Group sent a statement through Mercury, its external PR firm Mercury, claiming that it had not received Citizen Labs findings. NSO also stated that it would investigate the claims thoroughly and take appropriate action based on the findings.

NSO claimed recently that it had blocked access to Pegasus by five government customers because of human rights violations.

TechCrunch was informed by Zainab al-Nasheet, spokesperson for the Bahraini government. She stated that these claims were based on unfounded accusations and misguided conclusions. The government of Bahrain is committed in protecting the rights and freedoms of individuals.

Abd-Ali claimed that he was tortured and arrested in Bahrain. However, he said that he believed he would find safety in Britain. He also said that he still faces digital surveillance as well as physical attacks, just like many other victims of spyware.

The U.K. government failed to protect me while close allies Israel and Bahrain conspired against me and dozens other activists.

Send tips securely via Signal or WhatsApp to +1 646-755-8499. SecureDrop allows you to send files and documents.