Apple Lawsuit Goes After Spyware Firm NSO Group
Apple has sued NSO Group, a firm accused of selling weaponized exploits of Apple’s operating systems and Google’s Android that enable governments to surveil human-rights activists, dissidents, reporters, and others via their phones and computers. Apple wants NSO Group permanently barred from using Apple products and services and developing exploits for them.
Apple isn’t being shy about this action, which the company announced on its site. Normally tight-lipped on strategy, Apple also allowed Ivan Krstic, its head of security engineering and architecture, to speak to the New York Times. He told the paper:
This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter.
The Cupertino giant also says it will give $10 million to further the work of two prominent independent research groups, Citizen Lab and Amnesty Tech. Citizen Lab, part of a public policy school at the University of Toronto, and Amnesty Tech, a group within Amnesty International, have uncovered or assisted in revealing many hijackings of devices used by those targeted by governments.
Such discoveries typically lead to extensive patching of iOS, iPadOS, macOS, Android, and Windows, as well as apps developed by Apple, Google, Microsoft, and other firms, often within days of researchers alerting the affected companies.
In its lawsuit, Apple alleges that:
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices.
The lawsuit asks the US District Court to bar NSO Group permanently from using “any Apple servers, devices, hardware, software, applications, or other Apple products or services.” Apple also wants a permanent injunction against NSO Group creating intrusion software for anything in the Apple ecosystem. Apple didn’t specify the amount it wants for damages as direct compensation and as a penalty. One can imagine it would be quite a large number given the scope of affected devices and Apple’s costs in responding to malware attributed to NSO Group.
Whatever those damages may be, Apple plans to donate them to Citizen Lab and Amnesty Tech. Apple also promises to provide the groups with technical support, engineering help, and other insights, and says it will do the same for similar research groups “where appropriate” that may require help.
The Israel-based NSO Group develops a spyware package called Pegasus, a set of surveillance tools that, once surreptitiously installed on a target’s device, enable governments to intercept messages, monitor data in real time, exfiltrate information, silently operate the device’s camera and microphone, and more. To deploy Pegasus, NSO Group relies on zero-day exploits, attacks that rely on previously unknown errors in apps or operating systems.
Among other incidents, intrusions attributed to NSO Group’s Pegasus include an attack in 2016 that targeted a single human-rights activist, Ahmed Mansoor, with three interlocked zero-days; the surveillance of a large number of Mexican journalists, human-rights lawyers, and activists by the Mexican government from at least 2011 to 2016; and infiltration of Catalan independence leaders’ phones by the Spanish government in 2019. Pegasus may even have been used for personal reasons: the UK’s High Court concluded in October 2021 that Dubai’s leader, Sheikh Mohammed bin Rashid al-Maktoum, used Pegasus against his ex-wife, her lawyers, and others in her circle.
Aside from the alleged incident in Mexico, governments usually target only a small number of people with Pegasus, partly to reduce the likelihood of discovery by the likes of Citizen Lab. That doesn’t detract from the impact of these attacks since the activists and journalists in question are often engaged in investigating or revealing human rights abuses or instances of government corruption. In some cases, targeted people merely oppose a government or leaders within one—anathema to repressive regimes. And, of course, the information that Pegasus reveals may lead to the victims being arrested or even executed. Plus, as soon as zero-days become known, Apple and other companies must patch them, as they would typically allow exploitation on a massive scale that could affect any of hundreds of millions of users if uncovered by the general malware world.
While Apple had many incidents to choose from, its lawsuit sticks to events in 2021, calling out specifically the use of a Pegasus-driven attack that Citizen Lab tied to NSO Group. Citizen Lab labeled the zero-click exploit FORCEDENTRY, and Apple stated it was in the wild from February 2021 to September 2021, when Apple released patches to existing operating systems.
NSO Group doesn’t deny it provides technology that allows undisclosed access to electronic gear, but it has stated variations on this response on many occasions:
NSO sells it[sic] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.
In that case, NSO Group was denying the details in an article at Forbidden Stories that linked Pegasus software to Saudi Arabia monitoring communications by journalist Jamal Khashoggi and those around him. The Saudi government murdered Khashoggi in 2018 in Turkey.
While eliding mentions of less savory uses, NSO Group claims its tech is used “every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.” The company, citing privacy issues, has provided no documentation of any of these uses or the scope of “every day.”
While receiving some scrutiny in the press, NSO Group and a handful of similar companies have previously escaped consequences for their products’ usage across the spectrum of democratic to totalitarian nations. That’s changing.
Facebook began a lawsuit against NSO Group in 2019 based on that company’s alleged use of the WhatsApp network to install Pegasus on devices owned by targets. Cisco, Google, Microsoft, and VMWare filed an amicus brief supporting Facebook (now Meta Platforms) in December 2020.
However, the lawsuit was delayed because NSO Group tried to make the case that it was protected by sovereign immunity, arguing that it sold software to government entities, which then used it. The trial judge rejected that argument, and NSO Group appealed—an appeal it lost just two weeks ago, on 8 November 2021. The lawsuit will now eventually be heard unless settled.
Just before that appeals decision, in early November, the US Department of Commerce added NSO Group and another Israel-based firm, Candiru, to its so-called Entity List, which allows the agency to bar American companies from licensing technology to them. The Commerce Department also recently imposed a general rule that prohibits US companies from selling software for electronic intrusion to other countries.
Despite the Israeli government’s often strong defense of Israeli businesses in international markets, the only public comment so far has come from Foreign Minister Yair Lapid, who said, “NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.” Israel’s Defense Ministry has begun its own investigation into NSO Group, according to The Hill. That’s particularly embarrassing, given that the news organization Haaretz of Israel reported in 2020 that the government forced NSO Group to sell its software to Saudi Arabia and United Arab Emirates’ governments and leaders as part of a diplomatic thaw between Israel and Gulf nations.
Adding to its troubles, NSO Group may default on $500 million worth of loans. The Times of Israel noted the amount and wrote that, on 22 November 2021, the debt-rating agency Moody’s dropped NSO Group’s rating to “poor quality and very high credit risk.” This news followed the reported resignation days earlier of one of its co-presidents, Isaac Benbenisti, after the Commerce Department blacklisted the company. Benbenisti was slated to become CEO.
Along with the Commerce Department’s action and the Facebook lawsuit, Apple bringing its substantial weight to a lawsuit and bolstering the significant research already in the field could produce the pressure necessary to break the back of the quasi-legitimate spyware industry.
Hamstringing spyware companies won’t suppress the lust of countries to buy and create exploits for surveillance and data extraction. Superpowers like the United States, China, and Russia possess Pegasus-like software and discover and purchase zero-days; that won’t change significantly. However, the new illegitimacy of such companies will make it substantially harder for them to produce a shrinkwrap-style product that less technically capable nations can purchase and deploy.
Apple says it will also notify users who it believes are being targeted by state-sponsored spyware attacks.
Read what Apple said - I don’t want my stuff hacked either - but couldn’t find what law is being broken? Or settled cases in the area to support Apple’s position.
Hacking is a federal offense in the US:
All 50 of the US states also have anti hacking laws:
It’s a great question. We’re focusing on the impact rather than getting into the minutiae, but it’s pretty interesting. We included Apple’s broad statement, and then (as this is civil, one private party against the other, not criminal) Apple has to state the actual violations it claims harmed it in exquisite detail.
The specific claims start at page 16 in the lawsuit. They include things like:
But Apple is also pursuing violations of California law (" 80. unlawful acts or practices in the conduct of business, in violation of California’s Business and Professions Code Section 17200") and breach of contract.
That last bit is clever. NSO Group members created Apple ID accounts, which means they agreed to the terms of service, including how disputes were handled. “The iCloud Terms constitute binding and enforceable contracts between Defendants and Apple.”
So in the article we discuss what Apple alleges NSO Group did; in the lawsuit, they break down precisely on what basis they want financial and injunctive relief from a court.
These aren’t criminal charges; it’s a lawsuit, which is a civil action among parties. There’s no opportunity for NSO Group to face fines or its officers prison terms; instead, Apple can only appeal for injunctions (NSO Group barred from all sorts of things) and for relief (money!).
That’s a PDF, but I’m still going to clarify that it’s a civil offense, not a criminal one. (“Federal offense” doesn’t explain that it doesn’t involve criminal charge, as that could mean criminal or civil.)
I’ve read some of the hacking laws and the info just sent by MMTalker.
As I understood it, NSO developed tools - but didn’t do the hacking. Kind of like, developing a chain cutter - but not cutting the chain to the gate. I expect their position is that any actions on their part wrt apple systems were lawful. Perhaps, Apple should be suing those who used the tools?
Are there lawful purposes the tools could be used for?
That’s why I was asking what specific law Apple was accusing them of breaking.
That’s a whole other discussion. NSO Group’s clients are governments and the actions are always without the knowledge and consent of the party being hacked. It is very rare that a tools such as that deployed against people has legal and legitimate uses except in very narrow cases as defined in certain countries.
In repressive countries, such tools can be used either because the country doesn’t have laws about government use, has laws that allow it, or violate laws on the books without repercussions.
More to your analogy, a chain cutter can’t only be used to cut other people’s chains. DRM circumvention tech, as an example, as a huge number of legitimate purposes, and is deployed typically by individuals; an individual cannot purchase NSO Group technology and, if so, they have no legitimate purpose as an individual to put it to.
Again, read the lawsuit for Apple’s precise description of what they allege NSO Group has done. NSO Group has put forth the notion they are simply a tool developer, but that’s not what’s emerged in reporting, U.S. Commerce Department orders, and court cases: they are reportedly actively involved in various ways in supporting the operation of the tool.
I like what Apple is doing here and it appears they’re being smart about it too.
I just have to wonder if they’d be even more successful at this if they increased their bounties for exploits and offered more encouragement among the community to actively search for and report any flaws. Sure, it’s not great press when a zero-day gets found in your flagship OS, but it would be far worse press if you didn’t find it and it ends up getting used in the murder of a dissident. Plus, with a generous bounty program you get to very publicly advertise your virtuous intents.
There’s a good one page summary here, and it includes details of penalties as well as links to the laws of all 50 US states:
The Computer Fraud and Abuse Act (CFAA) is the leading federal anti-hacking legislation that prohibits unauthorized access to another’s computer system. Although the law was originally meant to protect the computer systems of U.S. government entities and financial institutions, the scope of the Act expanded with amendments to include practically any computer in the country (including devices such as servers, desktops, laptops, cellphones, and tablets).
And here’s details of a US Supreme Court judgement, though it is not Apple specific:
Except NSO isn’t a US company, they’re not operating on US soil, they have not sold their products to the US government and (from what I’ve read elsewhere), they have taken deliberate steps to prevent their software from being used to target US citizens.
So it’s highly doubtful that US law enforcement has standing to do anything in a criminal court. The fact that some of the people targeted are using equipment sold by a US company isn’t going to be enough of a basis.
It will be interesting to see if the court believes Apple has standing, since any damages are against Apple’s customers, not Apple itself. Unless they have evidence that NSO hacked Apple’s servers, not just user’s phones.
A US government blacklist is not exactly a lawsuit, but it’s close and could move in that direction:
“ NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.”
“ The ban would prohibit American firms from selling technology to NSO Group and its subsidiaries. Dell and Microsoft were alerted earlier that NSO Group would be added to the blacklist, according to two people briefed on the calls but unauthorized to speak publicly about them.”
And Facebook/Meta has hauled NSO into the US justice system:
This is NOT a criminal prosecution (which a private company can’t initiate.) It’s a civil lawsuit for damages from conduct that Apple alleges is contrary to the agreements that NSO signed and contrary to commercial law. Apple clearly lays down the kinds of damages it believes they’ve suffered. (It is worth reading Apple’s filing, posted again as a reminder to do so: https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_112321.pdf )
What I really don’t understand is what Apple expects to get if/when they win. NSO is unlikely to pay any attention to a legal prohibition against hacking or against false accounts on iCloud, etc. I’m guessing they think they can go after some money associated with US sponsors (but there are substantial limits on that liability.) I’m presuming Apple has more in mind than just winning a judgement and bringing attention to the problem…
add: Israel is feeling the heat! Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries - The Record by Recorded Future
Now it seems like NSO Group spyware was used against the US State Department.
Should the government develop its phones (or modified iOS for its phones) that government employees use for government business?
No, absolutely not. Dangerous, and probably impossible for “the government” to do right.
They sort of do that already, at least in certain use cases. I remember the big ballyhoo over Obama’s Blackberry and how they had to lock it down so pretty much nothing worked.
Most government spy agencies would be allowed to use this software within their country. For example in Australia we have ASIO which looks after internal security, and helpfully has on their web page " When investigating threats to Australia’s security, the ASIO Act and Telecommunications (Interception and Access) Act 1979 allow us to do certain things which would otherwise be unlawful. Use of these special powers is strictly limited by legislation and is available to us only when authorised by a warrant. Special powers provided for by these Acts can allow the Organisation to enter and search premises, intercept and examine items in the mail, install and monitor surveillance devices, monitor telecommunications, and remotely access computers."
Obviously it is not legal to use hacks against other countries, but the internet means that you may not need to be there, so if it can’t be traced it is not a problem.
I think Apple’s message is for them to pull their heads in, and make sure that they don’t do anything that embarrasses Apple in the future. So just deal with decent governments and make sure that they don’t get caught.
Apparently, NSO Group didn’t take Apple’s lawsuit as a suggestion that maybe pulling back on hacking human rights activists isn’t well-received everywhere.
NSO isn’t hacking anybody. They license their tools to governments, who are doing the hacking. Maybe NSO shouldn’t be dealing with governments that spy on human rights activists, but that would probably exclude every country on the planet.
They probably believe (as I do) that Apple has no standing for a lawsuit. It’s like General Motors suing me because I planted a bug in somebody’s Chevrolet. The only legitimate plaintiff is the person who was bugged, not the company that made his car.
(update: Actually, it’s more like GM suing the manufacturer of the bug that I planted in somebody’s car.)
True—I should have said that maybe NSO Group should be working a little harder to live up to the claims on its website:
Join the discussion in the TidBITS Discourse forum