Skip to main content

Pegasus: iPhone hit by NSO Group spyware to hack Saudi activist

Canada-based research group discovers Israeli-developed exploit named 'Forcedentry' while testing a Saudi activist's iPhone
A woman checks the website of Israel-made Pegasus spyware at an office in the Cypriot capital Nicosia, 21 July 2021 (AFP)

An Israeli spyware company has targeted the iPhone of a Saudi activist, exploiting a weak point in the messaging app that has led to Apple releasing an update to seal a cyber-security gap in its software.

All iPhones with software before the 14.8 update, which was released on Monday, are at risk of being hacked with a bug developed by NSO, an Israeli cyber security company that sold its powerful spyware Pegasus to several governments in the Middle East. 

Citizen Lab, a Canada-based research group examining digital threats to civil rights, reported on Monday that it discovered an exploit named "Forcedentry" while testing a Saudi activist's iPhone in March. The activist wished to remain anonymous. 

An exploit is a piece of software, a chunk of data, or a series of commands that takes advantage of a bug or vulnerability in an application or a system to cause unintended or unanticipated behaviour. 

Stay informed with MEE's newsletters

Sign up to get the latest alerts, insights and analysis, starting with Turkey Unpacked

Pegasus: Tunisia's Ghannouchi targeted by Saudi Arabia
Read More »

Citizen Lab believes that the "Forcedentry" exploit "is distinctive enough to point back to NSO," as it uses a similar hacking mechanism to Pegasus spyware, which NSO developed and sold to several governments, including Saudi Arabia, the United Arab Emirates and Morroco.

Apple confirmed that "Forcedentry" was a software vulnerability that works by hacking the device with a "crafted PDF" inserted in the iMessage app, leading to the device being compromised.

It has since released a software update, 14.8, to tackle the problem.

Forcedentry is a bug covered with a layer of an image format, also known as ".gif". But while it appears to be a "gif" file, it is in fact a PDF document containing a malicious code that infiltrates the chat app, using a zero-click technique that turns the iPhone into a surveillance tool.

Pegasus is also a zero-click malware that does not ask users to click on suspicious links or threatening texts, thus making it harder to detect.

It functions through push notifications, sometimes without the smartphone owner's awareness, and instructs the phone to upload its content to servers linked to the NSO Group, including pictures, emails, documents, voice and written messages.

The problem of Pegasus

In July, Amnesty International, Forbidden Stories and a consortium of international media organisations alleged that Pegasus was used in hacks of smartphones belonging to journalists, officials, human rights activists and world leaders.

The investigative group said it had acquired a list of 50,000 phone numbers that appear to be targets identified by the Israeli company's clients to be spied on using Pegasus.

On Tuesday, Ivan Krstic, head of Apple security engineering and architecture, told the Guardian that cyber-attacks such as the Forcedentry exploit "are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals".

He also said that Apple is "constantly adding new protections for their devices and data," and that the attack is "not a threat to the overwhelming majority of our users".

Pegasus: Saudi Arabia targets Middle East Eye's Turkey bureau chief
Read More »

Citizen Lab said that the Forcedentry exploit used several names, including "setframed," which was the process name used when dozens of journalists from Qatar-owned Al Jazeera were targeted with Pegasus spyware in July 2020.

Middle East Eye reported in December that the coordinated attacks on Al Jazeera were the largest concentration of phone hacks targeting a single organisation. They took place just weeks before the normalisation deal signed between Israel, UAE and Bahrain.

The Toronto-based Citizen Lab said in a statement that: "Our latest discovery of yet another Apple zero-day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies."

It added that chat and messaging apps remain a soft and major target for hackers and state-sponsored espionage and spyware companies.

Bill Marczak, a researcher at Citizen Lab, said that "many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited."

NSO Group has been adamant that its technology is helping "government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe."

Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.