The iPhones of nine Bahraini activists are said to have been hacked using the NSO Group’s Pegasus spyware between June 2020 and February 2021 by none other than the Bahrain government. Political tensions aside, the news is concerning because the zero-click exploit – delivered via iMessage – seems able to circumvent Apple’s security (codenamed “BlastDoor”) and provide access to victims’ personal data.
Pegasus is a dangerous and powerful piece of spyware since it can be installed on a victim’s iPhone without any user interaction whatsoever – hence the “zero-click” name. The exploit is typically delivered via iMessage from one Apple device to another.
Apple bolstered its mobile security in iOS 14 by adding a feature called BlastDoor. This monitors incoming iMessage traffic and only passes safe data onto the rest of the device. It should add an extra layer of security in relation to exploits like Pegasus.
However, news from Citizen Labs indicates that the Pegasus exploit – among others – has been leveraged to bypass BlastDoor and compromise the iPhones of those aforementioned activists. The zero-click attack is reported to have worked on both iOS 14.4 and Apple’s more recent iOS 14.6. Two other exploits – called KISMET and FORCEDENTRY – were also used.
In a statement provided to TechCrunch, Apple reminds its users that attacks “like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” In other words, they don’t pose a threat to the general population. Anyone with the means to access and pay for a Pegasus hack job (i.e mainly corrupt governments) has more important things to do than read your texts.
Luckily, Apple is said to have strengthened its defenses in iOS (and iPadOS) 15, which is due to launch in the next month or so. As always, the best thing we can all do is keep our devices up-to-date, ensuring that new security patches are automatically installed on our iPhones and iPads.