More than 180 journalists around the world have been targeted by various operators of the Pegasus spyware tool developed by Israeli firm NSO Group. New research reveals that despite the common perception that Apple devices are more secure, there are plenty of vulnerabilities that can be exploited through Pegasus even when running the latest software revision for your device.
Last year, it emerged that Facebook wanted to buy the infamous Pegasus spyware tool in 2017 with the explicit purpose to monitor iPhone and iPad users. Pegasus developer NSO Group refused to sell it for that purpose, as the firm is known for its strict policy of only licensing its tools to governments and government agencies for legitimate use cases pertaining to national security and law enforcement.
Fast forward to today, and a new report from Citizen Lab highlights just how effective Pegasus is even on devices running iOS 14. Security researchers found the tool facilitated a zero-click attack on the iPhones of nine Bahraini activists between June 2020 and February 2021.
The attack relied on two zero-click iMessage exploits — meaning no interaction from the user is necessary for the exploits to succeed. One of the exploit chains is called KISMET and was discovered in 2020, while the other is a completely new one that is able to bypass Apple’s Blastdoor protections, which is why Citizen Labs called it FORCEDENTRY.
Researchers found the attack was successful against iPhones running an up-to-date version of iOS, and that versions 14.4 and 14.6 are confirmed to be vulnerable to it. What isn’t clear at this point is whether the security update in iOS 14.7.1 is meant to offer a fix for this particular exploit. Apple is aware of the issue, however, and the company will introduce more security protections in the upcoming iOS 15 release.
Citizen Lab notes with a “high degree of confidence” that four of the nine activists that were hacked have been targeted by the government of Bahrain, which is said to have been using Pegasus since 2017. One of the activists had previously been hacked with the same tool in 2019.