Nine Bahraini activists were targeted using Pegasus spyware that exploited an undisclosed “zero-click” vulnerability in Apple’s iMessage app.
Researchers from the University of Toronto’s Citizen Lab said that the hacked activists included three members of Waad, a secular Bahraini political society. Three members of the Bahrain Center of Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society) were also targeted.
Citizen Lab calls the new exploit chain “FORCEDENTRY.” It’s a zero-click exploit- meaning it can be used to trigger an infection simply by sending a malicious message to the target. It doesn’t require clicking a link or view the message in question, like in usual phishing campaigns.
NSO responded to the allegations that if they receive reliable information, they will investigate the claim and act accordingly, The Guardian reported. Recently, A consortium of 17 international journalistic organizations published an investigative report about the attempted and successful hacking of 37 smartphones belonging to journalists, government officials, and human rights activists around the world. UN experts also called for a moratorium on surveillance technology. Experts especially called out NSO Group’s spyware Pegasus in their report.
Why is it worrisome?
This attack is very significant not only because of its zero-click exploit but also it works against the latest version of iOS. It also bypasses a new software security feature called BlastDoor. Apple built this into iOS 14 to prevent such intrusions by filtering untrusted data sent over iMessage.