New Pegasus Zero-Click Attack Bypasses Apple iPhone's BlastDoor Protection

A new Pegasus zero-click attack on a human rights activist has managed to bypass Apple's BlastDoor protections, according to a report by Citizen Lab security researchers. The attack, launched against a Bahraini human rights activist, led to be held earlier this year. Citizen Lab researchers said the NSO Group spyware defeated new security protections that Apple has designed to resist covert compromises. The activist whose iPhone was attacked is a member of the Bahrain Center for Human Rights, an award-winning NGO that promotes human rights in the Gulf region.

Citizen Lab analyzed the activist's iPhone 12 Pro and found proof that it was hacked as of February using the "zero-click" attack, as it does not need any user interaction to infect a device. The zero-click attack exploited a previously unknown vulnerability in Apple's iMessage, which was exploited to pressure Pegasus on the activist's phone. The hack is noteworthy as it bypasses the BlastDoor security feature in iOS 14 that is supposed to prevent such covert attacks on iPhones by filtering malicious data sent over iMessage. Researchers are calling the attack ForcedEntry because of its ability to bypass BlastDoor.

Earlier, a zero-click Pegasus attack against journalists, human rights activists, and more prompted Apple to release a security update in iOS 14.7.1, which was believed to be a fix for that exploit. The Citizen Lab researchers say that the method of this attack is different.

Apple, in a response to 9to5Mac, forwarded the same statement that it had sent the last time, and did not comment on if iOS 14.7.1 protects against these kinds of attacks. The statement condemns the attack and says the risk is low for most of the customers.