Developed by Israel-based NSO Group, Pegasus is a highly effective form of iPhone spyware that has been making news for years now due to its repeated use by repressive governments. Another case has emerged as a new Citizens Lab report reveals that the government of Bahrain has used Pegasus to track at least nine activists since June 2020. While this is not an entirely surprising development given that Bahrain has already been known to deploy spyware to keep tabs on activists, the story is noteworthy in that it appears at least one of the activists was hacked with Pegasus while residing in London.
Long history of misuse of iPhone spyware adds new chapter in authoritarian kingdom
The government of Bahrain has been observed purchasing and using cellular phone spyware from a variety of sources since 2010. The small country has existed under one continuous authoritarian family dynasty since shortly after declaring its independence from Britain in the early 1970s. This government has a long history of repression of political dissent. A period of reforms in the early 2000s created space for oppositional “political societies” to exist, but these groups experience continual surveillance and occasional violent crackdowns ahead of elections that are widely seen as unfair if not outright fraudulent.
The nine activists targeted between June 2020 and February 2021 were members of either one of these oppositional political groups, a human rights NGO or were exiled dissidents. Three are members of Waad, a secular opposition party, and one was a member of Shiite oppositional group Al Wefaq. Three are members of the Bahrain Center for Human Rights, a non-profit NGO based in the country that remains active there in spite of a formal ban by the government. The remaining two are dissidents living in exile, one of whom was attacked with the iPhone spyware while in London.
Citizen Lab has traced four of the iPhone spyware attacks to an entity called “LULU” that has previously been observed using spyware on behalf of the government of Bahrain. In one case, an activist was attacked by LULU only hours after giving an interview in 2020 in which they revealed that they were hit by iPhone spyware previously in 2019.
The case of the dissident living in London is unique, as Bahrain has not previously been observed using spyware against targets outside of its borders. Citizen Lab believes this operator is associated with a different government but does not have any concrete information as to which. The two London targets, activist Moosa Abd-Ali and blogger Yusuf Al-Jamri, were the only two of the nine that consented to be named publicly. Al-Jamri was hit with iPhone spyware in 2019, and it is unclear if it happened while he was in Bahrain or London. The 2020 attack on Abd-Ali occurred while he was in London. This was also not the first incident of the Bahraini government planting spyware on his devices, as he had previously had a personal computer attacked by the FinFisher spyware in 2011 while still living in that country.
Use of zero click iPhone exploits targeting iMessage
The report also provides further details about the specific exploits that the Pegasus iPhone spyware offers to its customers, in this case two zero-days that allowed for broad access to devices.
One attack used an exploit called “KISMET” that is initiated by a malicious iMessage (in this case a fake package tracking notification), but no longer works as of iOS 14. The second exploit, called “FORCEDENTRY,” also makes use of iMessages but sends a malicious PDF file and was viable in both iOS 14.4 and 14.6. These attacks were both “zero click,” simply requiring that the recipient have iMessages enabled and receive the messages. Apple responded to the story by saying that they intend to roll out security improvements in iOS 15.
Worrying evidence shows continued use of iPhone spyware
NSO Group gave a statement to Bloomberg indicating that they had not seen the report but questioning Citizen Lab’s “methods and motives.” This is in line with the company’s response to a July report from Amnesty International that highlighted leaked documents indicating that the company works with a variety of repressive governments around the world in spite of pledges not to. NSO Group responded to the Amnesty story by calling it “slanderous” and refusing to speak to the media any further about it.
NSO Group has said that it vets its clients carefully and will not work with governments that have a history of human rights abuses and surveillance of dissidents, but these recent reports seem to indicate otherwise. The firm has said that it has recently banned some of its clients that have been caught engaging in these activities, but will not elaborate on exactly who.
Paul Bischoff, privacy advocate with Comparitech, feels that the situation has gotten out of hand and will not be resolved without international cooperation to ban Android and iPhone spyware: “The use of Pegasus against Bahraini activists is another in a long list of examples demonstrating how NSO Group sells its malware to oppressive regimes and totalitarian governments. NSO Group says it only sells its software to legitimate government agencies, but the evidence shows it’s repeatedly being used to target journalists, dissidents, and activists by authorities with histories of corruption and human rights abuses. Those authorities would not have the same spying capabilities without NSO Group. There is no real legitimate use for NSO Group’s malware. We should immediately declare an international moratorium on private sales of spyware.”
While Pegasus is worrying given that it appears to be able to penetrate Apple’s vaunted BlastDoor security, a feature only just introduced in iOS 14, Cupertino says that the average user of its devices should not be worried as it relies on a rotating lineup of zero day exploits that are generally patched out as soon as they are discovered.
Chris Hauk, consumer privacy champion at Pixel Privacy, has some additional advice for those concerned about the security of their device in light of this news: “While this type of spyware will continue to exploit both known and previously unknown flaws in operating systems like iOS, there are tools available to detect whether or not a user’s device is infected. iMazing, the maker of a Mac file transfer utility that makes it easier to backup iOS and iPadOS devices while also allowing easier file transfers between an iOS device and a Mac, has added a new feature to its iMazing software that can detect traces of spyware on a device. The software is a free download and doesn’t require a license to use the spyware detection feature.”
