Bahrain Pegasus Campaign 12+ Activists Hacked with Zero-Click Exploits

🇧🇭 Bahrain PDPLAugust 202110 min read

# Bahrain Pegasus Campaign: 12+ Activists Hacked with Zero-Click Exploits

In August 2021, the University of Toronto's Citizen Lab published "From Pearl

to Pegasus," a landmark investigation documenting the Bahraini government's

systematic deployment of NSO Group's Pegasus spyware against at least nine

activists, including members of the Bahrain Center for Human Rights, Waad political

society, and Al Wefaq Islamic Society. A Bahraini government operator, tracked by

Citizen Lab under the codename "LULU," used two distinct zero-click

exploit chains - KISMET (targeting iOS 13.5.1 and 13.7 via a JPEG ICC profile

vulnerability) and FORCEDENTRY (targeting iOS 14.4 and 14.6, bypassing Apple's

BlastDoor sandbox) - to silently compromise iPhones without any user interaction.

In February 2022, Amnesty International's Security Lab confirmed three additional

Bahraini targets, including prominent human rights lawyer Mohamed al-Tajer, bringing

the confirmed total to at least 12 victims across Bahrain and the United Kingdom.

The infections granted full device access: messages, contacts, call logs, emails,

photographs, real-time GPS location, and the ability to silently activate the device's

camera and microphone. NSO Group was placed on the U.S. Entity List in November 2021,

and affected activists filed a lawsuit in the UK in December 2022.

## Key Facts

• .**What:** NSO Group Pegasus deployed via zero-click iPhone exploits.
• .**Who:** 12+ Bahraini activists, lawyers, and human rights defenders.
• .**Data Exposed:** Messages, contacts, GPS location, photos, and live microphone access.
• .**Outcome:** NSO placed on U.S. Entity List; UK lawsuit filed by victims.

## What Was Exposed

Pegasus represents the most invasive surveillance capability commercially available.

Unlike conventional data breaches that expose structured databases, a Pegasus infection

transforms the target's smartphone into a comprehensive surveillance device,

providing the operator with access that exceeds what even the device owner can see

on their own screen.

• .Complete iMessage, WhatsApp, Signal, and Telegram message histories, including

messages in end-to-end encrypted applications - Pegasus captures content

at the device level, after decryption, rendering encryption irrelevant

• .Full contact databases and call logs, revealing the social networks, professional

relationships, and communication patterns of each target - metadata that

intelligence agencies consider more valuable than content

• .Email accounts and their contents, including any accounts configured on the

device (personal, professional, and organizational)

• .Complete photo libraries and videos, including metadata containing GPS

coordinates, timestamps, and device identifiers

• .Real-time and historical GPS location data, enabling continuous physical

surveillance of the target's movements

• .Silent activation of the device's camera and microphone, turning

the phone into an ambient listening and recording device even when not

in active use

• .Stored passwords, authentication tokens, and credentials for online accounts,

potentially enabling access to cloud services, financial accounts, and

organizational systems beyond the device itself

• .Browser history, bookmarks, and search queries, revealing the target's

interests, research activities, and digital behavior patterns

The technical evolution of the exploits used against Bahraini targets is significant.

The KISMET exploit, deployed in 2020, targeted a vulnerability in iOS's

handling of ICC (International Color Consortium) profiles embedded in JPEG images

sent via iMessage. The exploit was "zero-click" - the target

did not need to open, view, or interact with the message in any way. The mere

receipt of the iMessage triggered the exploit chain, which escalated privileges,

escaped the iMessage sandbox, and installed the Pegasus implant. This technique

worked against iOS 13.5.1 and 13.7, both of which were current versions at the

time of deployment.

When Apple introduced BlastDoor in iOS 14 - a dedicated sandbox for processing

incoming iMessage content, specifically designed to mitigate the class of attacks

exemplified by KISMET - NSO Group developed FORCEDENTRY to bypass it.

FORCEDENTRY exploited a vulnerability in Apple's CoreGraphics PDF parser,

using a technique that constructed a virtual machine from logical operators within

the JBIG2 image compression codec to achieve arbitrary code execution. This

exploit bypassed BlastDoor entirely and worked against iOS 14.4 and 14.6,

demonstrating NSO's ability to defeat defensive measures within months of

their deployment. The sophistication of FORCEDENTRY was such that Google's

Project Zero described it as "one of the most technically sophisticated

exploits we've ever seen."

The targeting pattern in Bahrain reveals a systematic campaign against civil society.

The nine initial victims identified by Citizen Lab included three members of Waad

(a secular political society), three members of the Bahrain Center for Human Rights,

one member of Al Wefaq (the largest Shia political society, dissolved by the

government in 2016), and two exiled dissidents living abroad. The subsequent

identification of Mohamed al-Tajer - a lawyer who had represented torture

victims and political prisoners - among the targets confirmed that the

campaign extended to the legal profession, a particularly chilling implication for

attorney-client privilege and access to justice.

The extraterritorial dimension of this campaign is critical. Several targets were

located in the United Kingdom at the time of infection, meaning the Bahraini

government was conducting surveillance operations on the sovereign territory of

a close ally. This led to the filing of a UK lawsuit in December 2022, in which

affected Bahraini activists sought legal remedies under UK data protection and

human rights law. The case represents one of the first attempts to hold a foreign

government accountable for Pegasus surveillance conducted on UK soil.

The implications for the broader Bahraini civil society extend far beyond the

confirmed 12 victims. Citizen Lab identified the LULU operator as active since

at least 2017, suggesting a multi-year campaign with potentially hundreds of targets.

The confirmed victims represent only those whose devices were forensically analyzed

-- the actual scope of surveillance is almost certainly far larger. The chilling

effect on free expression, political organizing, and human rights advocacy is

incalculable: when activists know that any iPhone in their community may be

compromised, the resulting self-censorship achieves the surveillance objective

even without additional infections.

## Regulatory Analysis

The deployment of Pegasus by a Bahraini government operator against citizens and

residents creates a profound regulatory paradox under the PDPL (Law No. 30 of 2018).

The law establishes data protection obligations that, if applied consistently, would

render the Pegasus campaign unlawful. However, the operator of the spyware is the

government itself - the same entity responsible for enforcing the law.

Article 3 of the PDPL defines personal data as "any data - regardless

of its source or form - that would identify a specific individual or make him

identifiable, directly or indirectly." The data collected by Pegasus falls

squarely within this definition and encompasses virtually every category of personal

data the law was designed to protect. Messages, contacts, location data, photographs,

and biometric data (voice recordings captured via microphone activation) are all

personal data under Article 3. The collection of this data without the knowledge

or consent of the data subjects constitutes processing under the PDPL.

Article 5 establishes the conditions for lawful data processing, requiring either

the consent of the data subject or a legitimate legal basis. The PDPL does include

an exemption in Article 2 for processing "necessary for the purposes of

national security" and law enforcement. However, this exemption is not

unlimited. International standards, including the jurisprudence of the European

Court of Human Rights and the UN Human Rights Committee, require that surveillance

measures be prescribed by law, necessary and proportionate to a legitimate aim,

and subject to adequate safeguards against abuse. The targeting of human rights

defenders, journalists, and lawyers - rather than individuals suspected of

criminal activity or terrorism - raises serious questions about whether the

national security exemption was applied in good faith.

Article 8 requires appropriate security measures to protect personal data. In the

context of government surveillance, this article creates an obligation to secure

the collected data against unauthorized access by third parties. NSO Group's

architecture routes surveillance data through its servers (despite claims to the

contrary), creating exposure to potential interception by NSO employees, Israeli

intelligence, or third-party threat actors who might compromise NSO's

infrastructure. The use of a foreign commercial spyware vendor to collect the

most sensitive personal data of Bahraini citizens introduces third-party risk

that the PDPL's security requirements would not permit in any other context.

Article 15 addresses cross-border data transfers, requiring that personal data

transferred outside Bahrain receive adequate protection. Pegasus infections

involve data transmission to command-and-control infrastructure hosted in multiple

jurisdictions, with portions of the data passing through servers operated by NSO

Group in Israel. This constitutes a cross-border transfer of the most sensitive

personal data imaginable - including information about political activities,

religious associations, and legal consultations - to a jurisdiction that the

Bahraini government does not formally recognize. The irony of a Bahraini government

operator routing its citizens' most intimate data through Israeli servers

is not lost on data protection analysts.

The practical reality is that the PDPL will never be enforced against the government

for Pegasus deployment. The Personal Data Protection Authority lacks the independence

and mandate to investigate state surveillance operations. This represents a

fundamental structural limitation: data protection laws that exempt or cannot

reach government surveillance effectively protect personal data from everyone

except the entity with the greatest capacity to misuse it. The UK lawsuit filed

by Bahraini activists may ultimately prove more consequential than any domestic

regulatory action, as it subjects the Pegasus campaign to the scrutiny of an

independent judiciary applying the UK Data Protection Act 2018 and the Human

Rights Act 1998.

## What Should Have Been Done

Addressing the Pegasus threat requires action at multiple levels: individual

device security, organizational security practices, platform-level protections

by Apple, regulatory and legal frameworks, and international export control

mechanisms. No single measure is sufficient against a threat actor deploying

zero-click exploits backed by a nation-state budget.

At the individual level, Apple's introduction of Lockdown Mode in iOS 16

(September 2022) represents the most significant defensive measure against

Pegasus-class attacks. Lockdown Mode disables several attack surfaces exploited

by NSO Group, including: blocking most iMessage attachment types (eliminating

the KISMET and FORCEDENTRY vectors), disabling link previews, blocking incoming

FaceTime calls from unknown contacts, restricting web browsing features commonly

exploited by commercial spyware, and preventing configuration profile installation.

Every individual at risk of state-sponsored surveillance should enable Lockdown

Mode and accept the functionality trade-offs. Bahraini activists and civil society

organizations should mandate Lockdown Mode on all organizational devices.

Organizations at risk should implement a mobile device management (MDM) strategy

that enforces automatic updates, requires devices to run the latest iOS or Android

version, and enables organizational-level security policies. The KISMET exploit

worked against iOS 13.5.1, which was superseded by iOS 13.6 within weeks of the

infections being deployed. While FORCEDENTRY targeted then-current iOS versions,

timely updates remain the most accessible defense against the majority of mobile

threats. Organizations should configure MDM policies to restrict device enrollment

to devices running supported OS versions and require updates within 48 hours of

release.

Regular forensic analysis of devices belonging to at-risk individuals should be

institutionalized. Amnesty International's Mobile Verification Toolkit (MVT),

released as open-source software, enables the detection of Pegasus indicators on

both iOS and Android devices. Organizations should conduct quarterly MVT scans of

high-risk individuals' devices, with immediate analysis of any device

exhibiting anomalous behavior (unexpected battery drain, unexplained data usage,

device overheating). Citizen Lab's detection of the Bahraini campaign

was possible because activists submitted their devices for forensic analysis --

this practice should be systematized rather than ad hoc.

Communication security practices should assume device compromise and implement

defense-in-depth accordingly. Sensitive conversations should occur in environments

where phones are not present (Faraday bags or physically separate rooms). Organizations

should use air-gapped computers for the most sensitive document handling, maintaining

strict separation between communication devices (which may be compromised) and

document processing systems. The "assume breach" mindset is not

paranoia when the threat actor is deploying zero-click exploits backed by a

government budget.

At the platform level, Apple should expand iMessage's contact key verification

system and make Lockdown Mode more granular, allowing users to disable specific

attack surfaces without losing all advanced functionality. Apple should also invest

in automated detection of exploitation attempts, building on its existing threat

notification system that alerts users when Apple detects state-sponsored targeting

of their devices. The notification system should be expanded to include more detailed

guidance on immediate steps to take when a notification is received.

At the regulatory and legal level, the Bahraini PDPL should be amended to establish

an independent data protection authority with the mandate and resources to investigate

government data processing activities, including surveillance. The national security

exemption in Article 2 should be narrowed to require judicial authorization for

surveillance, proportionality assessments, and mandatory oversight by an independent

body. International models exist: Germany's G10 Commission provides independent

oversight of intelligence surveillance, and the UK's Investigatory Powers

Tribunal adjudicates complaints about surveillance activities. Without independent

oversight, the PDPL provides no protection against the most invasive form of

personal data collection.

At the international level, the export of commercial spyware should be subject to

the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use

Goods and Technologies, with surveillance technologies classified as dual-use items

requiring export licenses. The placement of NSO Group on the U.S. Entity List in

November 2021 was a significant step, but enforcement remains incomplete. An

international moratorium on the sale, transfer, and use of spyware technology,

as called for by the UN High Commissioner for Human Rights, should be pursued

until adequate international regulatory frameworks are established.

The Bahrain Pegasus campaign demonstrates that commercial spyware has fundamentally

altered the threat landscape for civil society. When a government can purchase

zero-click exploitation capabilities that bypass every security measure an individual

can take, the defense must shift from technical controls to legal and institutional

safeguards. Bahrain's PDPL, with its national security exemption and lack

of independent oversight, provides no meaningful protection against the most

invasive data collection tool ever deployed against its citizens.