A new report claims that software from Israeli cybersecurity company NSO Group Technologies Ltd. was used by the government of Bahrain to spy on various people by exploiting vulnerabilities in Apple Inc.’s iOS mobile operating software.

The report, from Citizen Lab, said Bahrain used NSO software between June 2020 and February 2021 to spy on nine activists in the country. Countries spying on people is not perhaps that remarkable, but where the story gets interesting is that the NSO software bypassed iOS security.

As with previous reports of arguably nefarious use of tools from NSO, the company’s Pegasus software was used in the spying. The Citizen Lab researchers claim that the iPhones were compromised using Pegasus via a zero-click iMessage exploit known as KISMET. The exploit required a targeted iPhone to receive a message for the spyware to compromise iOS and monitor the user’s internet traffic with no interaction from the user.

KISMET is said to have been a vulnerability in iOS up to version 13.7. Subsequent releases from Apple included a security feature called “BlastDoor” that defended against zero-click iMessage attacks. Although the Apple update blocked zero-click attacks, the vulnerability can still be exploited if a user clicked on a link in an iMessage, and that’s exactly what NSO’s Pegasus software then used to gain access to targeted iPhones.

Controversial as they may be, no one can claim that the employees of NSO are not smart. Forward to February this year and they found a new zero-click exploit in iOS called FORCEDENTRY. The name for the exploit was given by the researchers because it forced entry past Apple’s BlastDoor security.

The FORCEDENTRY vulnerability is confirmed as being present in versions of iOS up to 14.6 and could be present in the current version, 14.7. The researchers said that they had informed Apple of the exploit. Apple has so far declined to comment on if it has addressed the vulnerability.

In previous reports where NSO software has been allegedly found to be being used to targeting journalists and activists, the standard response from the company has to deny any findings. Following a report in July, NSO said that the findings were exaggerated and baseless.

NSO has been in the news previously over allegations that its software is used for hacking and spying. In October 2019, Facebook Inc. alleged that NSO hacked about 1,400 WhatsApp users using U.S. servers and filed a lawsuit against the company. At a hearing in April 2020, NSO alleged that it had sovereign immunity from the lawsuit since it works hand-in-hand with foreign government intelligence agencies, whereas Facebook argued it was liable under U.S. law since it had used U.S. servers.

Image: NSO Group