- The oppressive regime in Bahrain has been spying on at least nine activists in the country.
- The operation involved NSO’s Pegasus and two zero-day exploits that targeted FaceTime and iMessage.
- The signs of exploitation wouldn’t be clear for the targets and the attacks were interaction-less anyway.
Activists in Bahrain have been reportedly targeted by their government, which employed several zero-click iPhone exploits sold to them by the NSO Group, the infamous Israeli spyware firm. The relevant report comes from investigators at Citizen Lab who identified successful hacks against at least nine Bahraini activists between June 2020 and February 2021. Most of these people were targeted with either the “KISMET” exploit or the “FORCEDENTRY” zero-day, both included in the arsenal of Pegasus. Only two of the targets are named in the report, and they are Moosa Adb-Ali and blogger Yusuf Al Jamri.
The KISMET exploit was uncovered back in December 2020, so this is known and patched now. The most interesting exploit that arises from this story is FORCEDENTRY, a zero-click exploit that targets iMessage. According to the Citizen Lab report, this exploit was used between February and July 2021, which is when Apple hastily released iOS 14.7 and addressed an interaction-less attack on iMessage. Back then, we speculated a link, but it was never officially confirmed by Apple.
The investigators report that this novel zero-day was successfully deployed against iOS 14.4 and iOS 14.6, forcing the target device to display crash logs associated with “IMTranscoderAgent,” followed by the Apple thermal monitor daemon returning a series of errors, the result of two segfaults. These are just the side-effects of spyware running on the iPhone, which could be easily disregarded by the user as random events.
To touch the aspect of ethical deployment and human rights protection that has always been at the epicenter of NSO’s defense against all allegations, Bahrain has a ‘Freedom House’ index score of 12 out of 100, having a status of “Not Free.” The country is ruled by a monarchy that dominates all institutions. At the same time, all political opposition has been gradually and methodically dismantled, starting in 2011 when the authorities crushed the last powerful pro-democracy movement in the country.
In this case, the attacks were carried out through zero-days, so even if the targets ran the latest version on their iPhones, they would still be vulnerable. However, if they had disabled iMessage and FaceTime, the two aforementioned exploits wouldn’t have the ground to work. This is a lesson to only keep around what you’re actively using and try to use as few tools as possible.