Apple has sued NSO Group, a firm accused of selling weaponized exploits of Apple’s operating systems and Google’s Android that enable governments to surveil human-rights activists, dissidents, reporters, and others via their phones and computers. Apple wants NSO Group permanently barred from using Apple products and services and developing exploits for them.
Apple isn’t being shy about this action, which the company announced on its site. Normally tight-lipped on strategy, Apple also allowed Ivan Krstic, its head of security engineering and architecture, to speak to the New York Times. He told the paper:
This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter.
The Cupertino giant also says it will give $10 million to further the work of two prominent independent research groups, Citizen Lab and Amnesty Tech. Citizen Lab, part of a public policy school at the University of Toronto, and Amnesty Tech, a group within Amnesty International, have uncovered or assisted in revealing many hijackings of devices used by those targeted by governments.
Such discoveries typically lead to extensive patching of iOS, iPadOS, macOS, Android, and Windows, as well as apps developed by Apple, Google, Microsoft, and other firms, often within days of researchers alerting the affected companies.
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices.
The lawsuit asks the US District Court to bar NSO Group permanently from using “any Apple servers, devices, hardware, software, applications, or other Apple products or services.” Apple also wants a permanent injunction against NSO Group creating intrusion software for anything in the Apple ecosystem. Apple didn’t specify the amount it wants for damages as direct compensation and as a penalty. One can imagine it would be quite a large number given the scope of affected devices and Apple’s costs in responding to malware attributed to NSO Group.
Whatever those damages may be, Apple plans to donate them to Citizen Lab and Amnesty Tech. Apple also promises to provide the groups with technical support, engineering help, and other insights, and says it will do the same for similar research groups “where appropriate” that may require help.
The Israel-based NSO Group develops a spyware package called Pegasus, a set of surveillance tools that, once surreptitiously installed on a target’s device, enable governments to intercept messages, monitor data in real time, exfiltrate information, silently operate the device’s camera and microphone, and more. To deploy Pegasus, NSO Group relies on zero-day exploits, attacks that rely on previously unknown errors in apps or operating systems.
Aside from the alleged incident in Mexico, governments usually target only a small number of people with Pegasus, partly to reduce the likelihood of discovery by the likes of Citizen Lab. That doesn’t detract from the impact of these attacks since the activists and journalists in question are often engaged in investigating or revealing human rights abuses or instances of government corruption. In some cases, targeted people merely oppose a government or leaders within one—anathema to repressive regimes. And, of course, the information that Pegasus reveals may lead to the victims being arrested or even executed. Plus, as soon as zero-days become known, Apple and other companies must patch them, as they would typically allow exploitation on a massive scale that could affect any of hundreds of millions of users if uncovered by the general malware world.
While Apple had many incidents to choose from, its lawsuit sticks to events in 2021, calling out specifically the use of a Pegasus-driven attack that Citizen Lab tied to NSO Group. Citizen Lab labeled the zero-click exploit FORCEDENTRY, and Apple stated it was in the wild from February 2021 to September 2021, when Apple released patches to existing operating systems.
NSO Group doesn’t deny it provides technology that allows undisclosed access to electronic gear, but it has stated variations on this response on many occasions:
NSO sells it[sic] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data.
While eliding mentions of less savory uses, NSO Group claims its tech is used “every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.” The company, citing privacy issues, has provided no documentation of any of these uses or the scope of “every day.”
While receiving some scrutiny in the press, NSO Group and a handful of similar companies have previously escaped consequences for their products’ usage across the spectrum of democratic to totalitarian nations. That’s changing.
However, the lawsuit was delayed because NSO Group tried to make the case that it was protected by sovereign immunity, arguing that it sold software to government entities, which then used it. The trial judge rejected that argument, and NSO Group appealed—an appeal it lost just two weeks ago, on 8 November 2021. The lawsuit will now eventually be heard unless settled.
Despite the Israeli government’s often strong defense of Israeli businesses in international markets, the only public comment so far has come from Foreign Minister Yair Lapid, who said, “NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.” Israel’s Defense Ministry has begun its own investigation into NSO Group, according to The Hill. That’s particularly embarrassing, given that the news organization Haaretz of Israel reported in 2020 that the government forced NSO Group to sell its software to Saudi Arabia and United Arab Emirates’ governments and leaders as part of a diplomatic thaw between Israel and Gulf nations.
Adding to its troubles, NSO Group may default on $500 million worth of loans. The Times of Israel noted the amount and wrote that, on 22 November 2021, the debt-rating agency Moody’s dropped NSO Group’s rating to “poor quality and very high credit risk.” This news followed the reported resignation days earlier of one of its co-presidents, Isaac Benbenisti, following the Commerce Department blacklisting the company. Benbenisti was slated to become CEO.
Along with the Commerce Department’s action and the Facebook lawsuit, Apple bringing its substantial weight to a lawsuit and bolstering the significant research already in the field could produce the pressure necessary to break the back of the quasi-legitimate spyware industry.
Hamstringing spyware companies won’t suppress the lust of countries to buy and create exploits for surveillance and data extraction. Superpowers like the United States, China, and Russia possess Pegasus-like software and discover and purchase zero-days; that won’t change significantly. However, the new illegitimacy of such companies will make it substantially harder for them to produce a shrinkwrap-style product that less technically capable nations can purchase and deploy.