Just weeks after a US judge ruled that NSO Group did not have immunity in a lawsuit brought by Facebook subsidiary WhatsApp, Apple is adding to the company’s troubles.
After a zero-click zero-day exploit that was deployed against iPhone users, Apple has filed a legal action against NSO Group.
The complaint alleges that the maker of the infamous Pegasus mobile spyware is responsible for the illegal surveillance of Apple users. The computing giant is looking for the court to issue a permanent injunction on the Israeli company, banning it from using any Apple software, services or devices & also an unspecified amount in damages.
“In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” observed Ivan Krstić, Head of Apple Security Engineering & Architecture, in an Apple statement, issued Mon.
NSO Group is also facing other lawsuits – notably a complaint brought by Facebook subsidiary WhatsApp that aimed to hold NSO Group accountable for distributing Pegasus via the messaging service to at least 1,400 targets. That suit has sparked legions of amicus briefs from Cisco, Electronic Frontier Foundation (EFF), GitHub, Google, the Internet Association, LinkedIn, Microsoft & VMware, among others.
Earlier in Nov., a US appeals court rejected NSO Group’s argument that it’s protected from the suit under sovereign immunity laws, which will allow the suit to move forward & which will make it necessary for the company to respond to discovery efforts. That verdict likely acted as a green light for Apple’s decision to file its own suit, researchers noted.
“The Apple suit isn’t particularly surprising considering that NSO just recently lost their legal bid for a defence of sovereign immunity,” Jake Williams, Co-Founder & CTO at Breach Quest, outlined.
“It’s likely that Apple has been considering this move for some time but was waiting for the WhatsApp case to make its way through the US Federal Appeals Court.”
In addition to the permanent injunction, the lawsuit also seeks redress for NSO Group’s “flagrant violations of US Federal & State law, arising out of its efforts to target & attack Apple & its users.”
Apple revealed that it will be donating any awarded damages to “organisations pursuing cyber-surveillance research & advocacy,” along with an additional $10m from its corporate funds.
Apple also outlined that it would support Pegasus specialists Citizen Lab with technical, threat intelligence & engineering assistance going forward.
Pegasus ‘Takes Flight’
Pegasus is a notorious, military-grade tool for surveillance that’s been linked to highly targeted cyber-attacks by repressive regimes against dissidents, activists & NGOs (not to mention the murders of journalists). It can access the microphone, camera, messages & other sensitive data on Apple & Android devices.
NSO Group, maintains that it sells Pegasus only for legitimate law-enforcement & anti-terrorist activities, to vetted govts. that uphold civil rights. That’s a claim that researchers have largely rejected, including in a recent analysis from Amnesty International & Citizen Lab.
Theory of Innocence
The US Govt. has also rejected that theory of innocence, earlier this month banning any trade with the company by American citizens or organisations.
The US Commerce Department added NSO Group its “Entity List,” which was previously mainly used to limit the flow of money to people & organisations with links to terror activities.
‘Bite of Apple’
Apple has a legitimate issue: NSO Group has not hesitated to target Apple users in the past. In Aug., cyber-security watchdog Citizen Lab warned that Pegasus had added a zero-click, zero-day Apple exploit dubbed FORCEDENTRY to its bag of tricks.
The spyware was seen successfully deploying against iOS versions 14.4 and 14.6, blowing past Apple’s new BlastDoor sandboxing feature to land on the iPhones of Bahraini activists. Apple rushed an emergency fix for the bug.
Last Dec., 4 nation-state-backed advanced persistent threats (APTs) hacked Al Jazeera journalists, producers, presenters & executives, in a Pegasus espionage attack using another zero-day exploit for Apple iPhone, researchers stated.
Millions of Dollars
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” explained Craig Federighi, Apple’s Senior VP of Software Engineering, in the statement.
“Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous.
While these cyber-security threats only impact a very small number of our customers, we take any attack on our users very seriously, & we’re constantly working to strengthen the security & privacy protections in iOS to keep all our users safe.”
Apple’s legal complaint provides new information on FORCEDENTRY, Apple noted: “To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver & install Pegasus spyware without a victim’s knowledge.”
Cybersecurity researchers, for their part, applauded Apple’s move. Joseph Carson for instance, Chief Security Scientist & Advisory CISO at Thycotic Centrify, described it as a win for privacy.
“Govts. & others have been known to use & abuse the Pegasus spyware to gain access to mobile devices data without the victim knowing or needing to click on anything,” he stated by email.
The Balance of Privacy
“To protect privacy means the need to have good security. When security is broken, it puts everyone at risk. The balance of privacy is at risk more than ever before & it looks like Apple has decided to defend & fight for privacy. It is important to protect citizens as govts. are here to serve & provide services for the citizens, not to control.
This means govts. must work together to limit safe havens for those who abuse citizens’ rights & when diplomacy fails, it looks like Apple are now taking the legal action path.”
Breach Quest’s Williams noted that even if NSO Group’s targeting of the Apple platform can’t be prevented with any technical measures, the suit adds to the already formidable headwinds that the company faces.
Exploits & Backdoors
“Obviously NSO will be able to bypass this from a technical standpoint,” he outlined. “However, it likely gives Apple additional legal recourse if NSO continues to offer exploits & backdoors that clearly rely on access to Apple products & services for engineering & testing.
This can’t be good news for NSO, which is reportedly in danger of default with over $500m in debt, a recent leadership shakeup with their CEO, & France pulling out of a planned purchase after the US sanctions.”
John Bambenek, Principal Threat-Hunter at Netenrich, stated that NSO Group has simply pushed it too far.
Weaponization of Vulnerabilities
“This is the natural consequence of the weaponization of vulnerabilities against large enterprises & their customers,” he explained
“In years back, these legal tools were used against security researchers until the détente of bug-bounty programs was reached. NSO Group & others are simply now on the business end of these legal tools that have existed but have been dormant for some time.
While I’m sceptical of near monopolies, [Apple & others] nonetheless have access to court systems all over the world to fight back hard against these entities & I’m glad that they are doing so.”