Bahraini activists targeted with new iOS zero-click exploit

A new Citizen Lab investigation published today has revealed the existence of a new iOS zero-click exploit that has been abused since at least February this year to hack into the iPhones of several Bahraini activists and political dissidents.

Citizen Lab, a political, human rights, and cybersecurity research center at the University of Toronto, said it linked the new iOS exploit to NSO Group, a well-known Israeli company specializing in the sale of offensive hacking and surveillance technologies.

Named FORCEDENTRY, the exploit was one of many offensive tools that were used to infect the devices with Pegasus, a surveillance tool developed by NSO Group.

Citizen Lab said FORCEDENTRY had been used in a broader hacking campaign that began in July 2021 and targeted the devices of at least nine Bahraini activists.

TargetDescriptionDate(s) of Hacking
Moosa Abd-Ali *Activist(Sometime before September 2020)
Yusuf Al-JamriBlogger(Sometime before September 2019)
Activist AMember of WaadSeptember 16, 2020
Activist B *Member of Waad, Labor Law ResearcherJune 3, 2020 July 12, 2020 July 19, 2020 July 24, 2020 August 6, 2020 September 15, 2020
Activist CMember of WaadSeptember 14, 2020
Activist D *Member of BCHRSeptember 14, 2020
Activist EMember of BCHRFebruary 10, 2021
Activist F *Member of BCHRJuly 11, 2020 July 15, 2020 July 22, 2020 October 13, 2020
Activist G *Member of Al Wefaq(Sometime before October 2019)

"At least four of the activists were hacked by LULU, a Pegasus operator that we attribute with high confidence to the government of Bahrain, a well-known abuser of spyware," Citizen Lab said in a report published today.

This campaign didn't center around the use of FORCEDENTRY, but went through three different stages, researchers said, and FORCEDENTRY appears to have been developed earlier this year as a way to bypass new security features that Apple introduced in iOS 14. The stages are below:

  1. July - September 2020: Victims were hacked using an older zero-click iOS exploit chain known as KISMET, known to work on older iOS versions up to v14.x.
  2. September 2020: After the release of iOS 14.0, the attackers returned to using one-click iOS exploits, where the victim had to click on a link received inside an iMessage text.
  3. February 2021 - July 2021: Attacks switched to using the new FORCEDENTRY zero-click exploit since it allowed the threat actor to target devices running iOS 14.x versions.

FORCEDENTRY can bypass BlastDoor

At the time of writing, technical details about the iMessage vulnerability exploited by the FORCEDENTRY tool are not available—primarily because the vulnerability is still unpatched.

However, Citizen Lab revealed some details in its report:

  • FORCEDENTRY is a zero-click exploit, meaning that just receiving an attacker's malicious iMessage text is enough to infect a device, even without clicking a link or viewing the message.
  • FORCEDENTRY can bypass BlastDoor, a new security feature that Apple secretly added in iOS 14 last year, which works by placing parts of the iMessages app inside a sandbox in order to isolate malicious code received via new messages from interacting with the underlying OS.

Citizen Lab researchers said they've seen the FORCEDENTRY exploit deployed against iOS versions 14.4 and 14.6, and the exploit is believed to work against current iOS versions as well.

FORCEDENTRY exploit used against French and Indian targets

In addition, there's an indication that the new exploit was also used against other targets besides Bahraini activists.

Citizen Lab researchers said the technical details of the FORCEDENTRY exploit are the same with the technical details of Megalodon, an iOS zero-click exploit detailed in a July 2021 Amnesty International report.

Amnesty researchers said they found this exploit while investigating the iPhones of a French human rights lawyer and an Indian journalist.

Both Amnesty and Citizen Lab said they reported their findings to Apple's security team, who said they started an investigation.

The findings of this report paint NSO Group in a negative light once again, as a company that has no qualms in selling surveillance technology to oppressive governments that abuse it to spy on critics, journalists, and political rivals, instead of fighting crime and terrorism.

NSO Group has stated in the past that it would investigate cases where its tools have been abused to violate human rights, and, answering to a Forbes inquiry about Citizen Lab's new report today, the company decried that they haven't been contacted to investigate the new findings before the report was published.

Since FORCEDENTRY is currently a carefully guarded exploit in the arsenal of a surveillance vendor and deployed in very limited and targeted operations, the danger to most iOS users is low until Apple learns more and releases an official fix.

However, the danger is high for individuals who have their own government and NSO Group in their threat model.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

No previous article
No new articles