Gerry Palmers Tech 08.25.2021 01:Aug AM EDT

Pegasus Spyware Breaks iPhone Security: Apple BlastDoor Protection Useless?

With the latest hack of Bahraini activists' iPhones, NSO Group's Pegasus software seems to have circumvented Apple's latest BlastDoor protection designed to prevent security breaches.

The University of Toronto's Citizen Lab disclosed that the Pegasus malware hacked the phones between June 2020 and February 2021. The hacked activists included political dissidents and members of the Bahraini Center for Human Rights, a U.S. News report said.

Bahrain's government has been suspected to be behind the hack, the report further said. Bahrain, which is home to the U.S. Navy's 5th Fleet, has been widely scrutinized for suppressing dissent. But the kingdom's National Communications Center released a statement dismissing the Citizen Lab findings as "misguided," and stressed that Bahrain is committed to safeguarding individual rights and freedoms.

The Israel-based NSO Group said it would investigate the matter while questioning Citizen Lab's motives in releasing the report.

Pegasus Allows Hackers to Read Texts, Hear Voice Calls in iPhones

The Pegasus spyware is a powerful malware that allows hackers to read texts, monitor voice calls, take over a device mic and camera, type in keystrokes, and much more, Gizmodo noted.

Citizen Lab pointed out that Pegasus infects iPhones with "zero-click" vulnerability or without users taking action. Hackers used the zero-click iMessage exploit, which requires no phishing and just takes advantage of the messaging app's code vulnerability to complete its attack,

This vulnerability, Citizen Lab said, is being exploited in the latest versions of the iPhone's iOS at the time of the hack,--articularly iOS 14.4 and iOS 14.6, which was released in May. It added that there has been no indication that this has been addressed.

Pegasus Spyware Undermines Apple's New 'BlastDoor' Security Protection

This means the attack is very significant since it undermines Apple's new "Blastdoor" security protection designed to overcome such covert breaches. BlastDoor, which analyszes and stops malicious data from reaching the iMessage app, is a sandbox service that executes code separately from the OS and operates within the messaging app, MacRumors stated. It would peer through all incoming messages and filters the content securely, thus disallowing malicious code in a message from interacting with iOS or accessing user data.

Blastdoor was integrated into iOS 14 in January 2021.

Due to previously reported breach on human rights activists, lawyers, and journalists likewise using the Pegasus malware last July, Apple released a security update in iOS 14.7.1 to fix that vulnerability. But Citizen Lab emphasized the Bahraini attack employed a different attack method.

Apple has yet to comment on the latest breach, but it has reiterated its condemnation for the attacks and assured iPhone users that the risk is low. The company added it would continue to work to prevent such attacks.

In a statement published on U.S. News, Apple Security Engineering and Architecture Ivan Kristic said such incidents are "not a threat to the overwhelming majority of our users," adding that Apple "adds new protections for its devices and data."