Citizen Lab: Bahrain Used Pegasus to Spy on ActivistsResearchers Say iPhone Exploit Used to Install Spyware
Threat researchers at The Citizen Lab at the University of Toronto say they've found a new zero-click iMessage exploit that's been used by the government of Bahrain to install the NSO Group's Pegasus spyware on the devices of human rights and political activists.
Dubbed "Forcedentry," the exploit bypasses Apple’s BlastDoor feature, which was built to protect the iPhone from such exploits.
The targeted activists include three members of the secular Bahraini political society Waad, three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents who are now living in London and one member of Shiite Bahraini political society Al Wefaq, the Citizen Lab researchers reported.
Forbidden Stories, a nonprofit journalism group that was key in carrying out the Pegasus Project investigation, confirmed that the phone numbers associated with five of the hacked activist devices were part of a list of potential targets discovered earlier, the researchers say.
The NSO Group has labeled The Citizen Lab’s findings as "technically impossible," according to Israeli news agency Haaretz.
A spokesperson from the Bahraini government also told Haaretz that the findings are “based on unfounded allegations and misguided conclusions”.
Citizen Lab researchers confirmed the compromise after analyzing the phone logs of the nine Bahraini activists. Their iPhones, they say, were hacked via the Pegasus spyware between June 2020 and February 2021, using two zero-click iMessage exploits: the 2020 Kismet exploit and the new 2021 Forcedentry exploit.
The Forcedentry exploit was deployed in devices running on iOS versions 14.4 and 14.6 as a zero-day, the researchers say.
The new iMessage zero-click exploit has been in use since February, with signatures detected as recently as July, according to the researchers.
When a Forcedentry exploit was targeted at a potential iPhone device, two types of crashes associated with the IMTranscoderAgent were observed: one occurred while invoking ImageIO’s functionality to render Adobe Photoshop PSD data and the other while invoking CoreGraphics’ functionality to decode JBIG2-encoded data in a PDF file, the Citizen Lab researchers says.
The phone logs of the Bahraini activists further indicated that the “responsible process” for the spyware was "amfid," the Apple mobile file integrity daemon, according to the researchers.
The Kismet Exploit Chain
A December 2020 report from The Citizen Lab deemed the Kismet exploit chain as a zero-day vulnerability in iPhone 11 running on iOS 13.5.1.
Researchers accessing the logs of the targeted activists report that this exploit chain was used to deploy Pegasus spyware between July and September 2020 on one of the devices running on the reported iOS version.
Like Forcedentry, the Kismet exploit chain also shows crashes associated with IMTranscoderAgent, which is responsible for transcoding and previewing images in iMessages.
“Specifically, the crashes were segfaults in the com.apple.IMTranscoderPreviewGenerationQueue thread while apparently parsing ICC color profile data in a JPEG image received via iMessage,” the researchers say.
Apart from iOS 13.5.1, the Kismet exploit was also used against iOS 13.7, they say, adding that the exploit did not work against iOS 14 and above, due to Apple’s BlastDoor feature.
Investigation in India
Meanwhile, in India, the West Bengal government has appointed an independent two-member Commission of Enquiry, headed by a retired Supreme Court judge, Justice Madan B. Lokur, to investigate allegations surrounding the Pegasus spyware scandal, according to legal publication Live Law.
The panel probe will not proceed, however, until the Supreme Court hears all the pending pleas regarding the case, Live Law says.
The move comes weeks after several privacy advocates and opposition party members filed petitions with the Supreme Court demanding an independent probe on the alleged use of Pegasus by the government of India on its citizens.
In response, the Indian government had filed a two-page affidavit saying that it could not disclose what software or hardware it uses as it is a “matter of national security.” The court has told the government that anything that would compromise national security may not be disclosed.
The court, which took 10 days to study the implications of the surveillance software, reportedly heard the pleas on Wednesday and stated that it will deliver a comprehensive order by next week.