A previously undisclosed “zero-click” exploit in Apple’s iMessage was abused by Israeli surveillance vendor NSO Group to circumvent iOS security protections and target nine Bahraini activists.
“The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society),” researchers from University of Toronto’s Citizen Lab said in a report published today, with four of the targets hacked by an actor it tracks as LULU and believed to be the government of Bahrain.
Citizen Lab called the new exploit chain “FORCEDENTRY.” It’s also a zero-click exploit, meaning that it can be used to trigger an infection simply by sending a malicious message to the target, even without having to click a link or view the message in question.
“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” a spokesperson for NSO Group told The Guardian.
The development comes a little over a month after an extensive investigation undertaken by a consortium of 17 media organizations revealed the widespread use of NSO Group’s Pegasus “military-grade spyware” by authoritarian regimes to facilitate human rights violations by surveilling heads of state, activists, journalists, and lawyers around the world.
The company has since temporarily blocked several government clients globally from using its technology as the company probes its potential misuse, while also acknowledging that it “shut off five clients’ access in the past several years after conducting a human rights audit, and had ended ties with two in the last year alone,” according to the Washington Post.
The latest disclosure is significant, not least because the zero-click attack successfully works against the latest versions of iOS, but also for the fact that it bypasses a new software security feature called BlastDoor that Apple built into iOS 14 to prevent such intrusions by filtering untrusted data sent over iMessage.
The tightly sandboxed service was detailed by Google Project Zero researcher Samuel Groß earlier this January, noting that it’s “written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.” BlastDoor inspects inbound messages in a secure, sandboxed environment, thus preventing any malicious code inside of a message from interacting with the rest of the operating system or accessing user data.
But the very next month after its existence came to light, Citizen Lab said it observed NSO Group deploying FORCEDENTRY — which Amnesty International dubbed “Megalodon” — against iOS versions 14.4 and 14.6 as a zero-day expressly engineered to get around the BlastDoor feature by crashing IMTranscoderAgent, a service responsible for transcoding and previewing images in iMessage, in order to download and render items from the Pegasus infection server.
“Despite a half-decade of being implicated in human rights abuses, NSO Group regularly claims that they are, in fact, committed to protecting human rights,” the researchers said. “The company has even published a ‘Human Rights Policy,’ a ‘Transparency and Responsibility Report,’ and claimed to subscribe to the United Nations Guiding Principles on Business and Human Rights.
“The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group,” the Citizen Lab team added.