Apple has sued NSO Group, a firm accused of selling weaponized exploits of Apple’s operating systems and Google’s Android that enable governments to surveil human-rights activists, dissidents, reporters, and others via their phones and computers. Apple wants NSO Group permanently barred from using Apple products and services and developing exploits for them.
Apple isn’t being shy about this action, which the company announced on its site. Normally tight-lipped on strategy, Apple also allowed Ivan Krstic, its head of security engineering and architecture, to speak to the New York Times. He told the paper:
This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter.
The Cupertino giant also says it will give $10 million to further the work of two prominent independent research groups, Citizen Lab and Amnesty Tech. Citizen Lab, part of a public policy school at the University of Toronto, and Amnesty Tech, a group within Amnesty International, have uncovered or assisted in revealing many hijackings of devices used by those targeted by governments.
Such discoveries typically lead to extensive patching of iOS, iPadOS, macOS, Android, and Windows, as well as apps developed by Apple, Google, Microsoft, and other firms, often within days of researchers alerting the affected companies.
In its lawsuit, Apple alleges that:
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices.
The lawsuit asks the US District Court to bar NSO Group permanently from using “any Apple servers, devices, hardware, software, applications, or other Apple products or services.” Apple also wants a permanent injunction against NSO Group creating intrusion software for anything in the Apple ecosystem. Apple didn’t specify the amount it wants for damages as direct compensation and as a penalty. One can imagine it would be quite a large number given the scope of affected devices and Apple’s costs in responding to malware attributed to NSO Group.
Whatever those damages may be, Apple plans to donate them to Citizen Lab and Amnesty Tech. Apple also promises to provide the groups with technical support, engineering help, and other insights, and says it will do the same for similar research groups “where appropriate” that may require help.
The Israel-based NSO Group develops a spyware package called Pegasus, a set of surveillance tools that, once surreptitiously installed on a target’s device, enable governments to intercept messages, monitor data in real time, exfiltrate information, silently operate the device’s camera and microphone, and more. To deploy Pegasus, NSO Group relies on zero-day exploits, attacks that rely on previously unknown errors in apps or operating systems.
Among other incidents, intrusions attributed to NSO Group’s Pegasus include an attack in 2016 that targeted a single human-rights activist, Ahmed Mansoor, with three interlocked zero-days; the surveillance of a large number of Mexican journalists, human-rights lawyers, and activists by the Mexican government from at least 2011 to 2016; and infiltration of Catalan independence leaders’ phones by the Spanish government in 2019. Pegasus may even have been used for personal reasons: the UK’s High Court concluded in October 2021 that Dubai’s leader, Sheikh Mohammed bin Rashid al-Maktoum, used Pegasus against his ex-wife, her lawyers, and others in her circle.
Aside from the alleged incident in Mexico, governments usually target only a small number of people with Pegasus, partly to reduce the likelihood of discovery by the likes of Citizen Lab. That doesn’t detract from the impact of these attacks since the activists and journalists in question are often engaged in investigating or revealing human rights abuses or instances of government corruption. In some cases, targeted people merely oppose a government or leaders within one—anathema to repressive regimes. And, of course, the information that Pegasus reveals may lead to the victims being arrested or even executed. Plus, as soon as zero-days become known, Apple and other companies must patch them, as they would typically allow exploitation on a massive scale that could affect any of hundreds of millions of users if uncovered by the general malware world.
While Apple had many incidents to choose from, its lawsuit sticks to events in 2021, calling out specifically the use of a Pegasus-driven attack that Citizen Lab tied to NSO Group. Citizen Lab labeled the zero-click exploit FORCEDENTRY, and Apple stated it was in the wild from February 2021 to September 2021, when Apple released patches to existing operating systems.
NSO Group doesn’t deny it provides technology that allows undisclosed access to electronic gear, but it has stated variations on this response on many occasions:
NSO sells it[sic] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.
In that case, NSO Group was denying the details in an article at Forbidden Stories that linked Pegasus software to Saudi Arabia monitoring communications by journalist Jamal Khashoggi and those around him. The Saudi government murdered Khashoggi in 2018 in Turkey.
While eliding mentions of less savory uses, NSO Group claims its tech is used “every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.” The company, citing privacy issues, has provided no documentation of any of these uses or the scope of “every day.”
While receiving some scrutiny in the press, NSO Group and a handful of similar companies have previously escaped consequences for their products’ usage across the spectrum of democratic to totalitarian nations. That’s changing.
Facebook began a lawsuit against NSO Group in 2019 based on that company’s alleged use of the WhatsApp network to install Pegasus on devices owned by targets. Cisco, Google, Microsoft, and VMWare filed an amicus brief supporting Facebook (now Meta Platforms) in December 2020.
However, the lawsuit was delayed because NSO Group tried to make the case that it was protected by sovereign immunity, arguing that it sold software to government entities, which then used it. The trial judge rejected that argument, and NSO Group appealed—an appeal it lost just two weeks ago, on 8 November 2021. The lawsuit will now eventually be heard unless settled.
Just before that appeals decision, in early November, the US Department of Commerce added NSO Group and another Israel-based firm, Candiru, to its so-called Entity List, which allows the agency to bar American companies from licensing technology to them. The Commerce Department also recently imposed a general rule that prohibits US companies from selling software for electronic intrusion to other countries.
Despite the Israeli government’s often strong defense of Israeli businesses in international markets, the only public comment so far has come from Foreign Minister Yair Lapid, who said, “NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.” Israel’s Defense Ministry has begun its own investigation into NSO Group, according to The Hill. That’s particularly embarrassing, given that the news organization Haaretz of Israel reported in 2020 that the government forced NSO Group to sell its software to Saudi Arabia and United Arab Emirates’ governments and leaders as part of a diplomatic thaw between Israel and Gulf nations.
Adding to its troubles, NSO Group may default on $500 million worth of loans. The Times of Israel noted the amount and wrote that, on 22 November 2021, the debt-rating agency Moody’s dropped NSO Group’s rating to “poor quality and very high credit risk.” This news followed the reported resignation days earlier of one of its co-presidents, Isaac Benbenisti, after the Commerce Department blacklisted the company. Benbenisti was slated to become CEO.
Along with the Commerce Department’s action and the Facebook lawsuit, Apple bringing its substantial weight to a lawsuit and bolstering the significant research already in the field could produce the pressure necessary to break the back of the quasi-legitimate spyware industry.
Hamstringing spyware companies won’t suppress the lust of countries to buy and create exploits for surveillance and data extraction. Superpowers like the United States, China, and Russia possess Pegasus-like software and discover and purchase zero-days; that won’t change significantly. However, the new illegitimacy of such companies will make it substantially harder for them to produce a shrinkwrap-style product that less technically capable nations can purchase and deploy.