Apple is suing NSO Group, an Israeli firm that sells software to government agencies and law enforcement that enables them to hack iPhones. To prevent further abuse and harm to users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
The company says it is hoping to curb the abuse of state-sponsored spyware and hold NSO Group accountable for the surveillance and targeting of Apple users. The group is known for creating sophisticated, state-sponsored surveillance technology that allows its highly targeted spyware to surveil its victims. Several researchers and journalists have publicly documented the history of this spyware being abused to target journalists, activists, dissidents, academics as well as government officials.
These attacks are only aimed at a minimal number of users, and they impact people across multiple platforms, including iOS and Android, Apple says. While the NSO Group spyware continues to evolve, Apple says it has not observed any evidence of successful remote attacks against devices running iOS 15 and later versions but urges all users to update their iPhones and always use the latest software.
In its complaint, Apple provided new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was initially identified by the Citizen Lab, a research group at the University of Toronto. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.
The spyware was used to attack a small number of Apple users worldwide with dangerous malware and spyware. Apple’s lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of U.S. federal and state law, arising from its efforts to target and attack Apple and its users.
Commenting on the news, Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions, explains, “Apple’s decision to sue NSO Group, the organization behind the Pegasus spyware which enables nation-states and those who have access to the spyware to snoop on unsuspecting victims, is a major push to protect privacy, which at the moment is on a very fine line. Governments and others have been known to use and abuse the Pegasus spyware to gain access to mobile devices data without the victim knowing or needing to click on anything. To protect privacy means the need to have good security. When security is broken, it puts everyone at risk. The balance of privacy is at risk more than ever before, and it looks like Apple has decided to defend and fight for privacy. It is important to protect citizens as governments are here to serve and provide services for the citizens, not to control. This means governments must work together to limit safe havens for those who abuse citizens’ rights, and when diplomacy fails, it looks like Apple is now taking the legal action path.”
This isn’t particularly surprising considering that NSO just recently lost their legal bid for a defense of sovereign immunity, says Jake Williams, Co-Founder and CTO at BreachQuest, a Georgia-based leader in incident response. “It’s likely that Apple has been considering this move for some time but was waiting for the WhatsApp case to make its way through the federal appeals court. Obviously, NSO will be able to bypass this from a technical standpoint. However, it likely gives Apple additional legal recourse if NSO continues to offer exploits and backdoors that clearly rely on access to Apple products and services for engineering and testing. This can’t be good news for NSO, which is reportedly in danger of default with over $500 million in debt, a recent leadership shakeup with their CEO, and France pulling out of a planned purchase after the U.S. sanctions.”
This is the natural consequence of the weaponization of vulnerabilities against large enterprises and their customers, notes John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, California-based digital IT and security operations company. “In years back, these legal tools were used against security researchers until the détente of bug bounty programs was reached. NSO Group and others are simply now on the business end of these legal tools that have existed but have been dormant for some time, and while I’m skeptical of near-monopolies, they nonetheless have access to court systems all over the world to fight back hard against these entities, and I’m glad that they are doing so.”
Apple also announced it would be contributing $10 million and any damages from the lawsuit to organizations pursuing cyber-surveillance research and advocacy. Apple will also support the accomplished researchers at the Citizen Lab with pro-bono technical, threat intelligence, and engineering assistance to aid their independent research mission. Where appropriate, it will offer the same assistance to other organizations doing critical work in this space.