Apple Sues NSO To ‘Curb Abuse Of State-Sponsored Spyware’

Apple has launched a lawsuit against NSO Group and its parent company OSY Technologies for alleged surveillance and targeting of iPhone users in the US.

Apple announced the lawsuit that was filed in US District Court for the Northern District of California, and said that firms such as NSO are not subject to any accountability and that needs to change.

Apple’s lawsuit is the latest blow for the surveillance specialist. Earlier this month the US Commerce Department placed NSO on a trade blacklist, when it and three other firms were placed on the US Entity List.

Spyware lawsuit

Apple said that its lawsuit was an effort to hold NSO Group and its parent company accountable for the surveillance and targeting of Apple users in the United States.

The complaint apparently “provides new information on how NSO Group infected victims’ devices with its Pegasus spyware.

To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.”

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior VP of Software Engineering.

“Apple devices are the most secure consumer hardware on the market – but private companies developing state-sponsored spyware have become even more dangerous,” said Federighi.

“While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”

NSO Exploit

Apple’s complaint provided new information on NSO’s FORCEDENTRY, which it says is NSO’s exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus.

The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto, back in December 2020. the researchers said NSO’s exploit was used to hack the iPhones of 36 Al Jazeera journalists.

But matters ramped up in July this year, when the Pegasus Project alleged that NSO’s Pegasus spyware had been used “to facilitate human rights violations around the world on a massive scale.”

Apple said that it will donate $10 million, as well as any damages recovered in the lawsuit, to research groups including Citizen Lab, the University of Toronto group that first discovered NSO’s attacks.

Flagrant violations?

“The spyware was used to attack a small number of Apple users worldwide with dangerous malware and spyware,” said Apple.

“Apple’s lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.”

Apple said that NSO and its clients “devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices.”

Apple alleged that in order to deliver FORCEDENTRY to Apple devices, attackers created over 100 fake Apple IDs to send malicious data to a victim’s device – allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge.

Apple insisted that though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.

Apple said that as NSO spyware continues to evolve, it has not observed any evidence of successful remote attacks against devices running iOS 15 and later versions.

NSO response

In a statement to Reuters, NSO, said it sells its tools only to governments and law enforcement agencies and has safeguards in place to prevent misuse, said that “thousands of lives” have been saved through the use of its tools.

“Paedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO Group will continue to advocate for the truth,” a spokesperson said in a statement.

NSO it should be remembered is also currently engaged in a legal battle with Meta and WhatsApp, after Facebook sued NSO in October 2019.

WhatsApp alleged NSO was behind the cyberattack in May 2019 that infected devices with advanced surveillance hacks.

Privacy fight

One security expert said Apple’s lawsuit demonstrated its willingness to fight for the privacy of its users.

“This is a major indication of the push to protect privacy which at the moment is on a very fine line,” noted Joseph Carson, chief security scientist at ThycoticCentrify. “Governments and others have been known to use and abuse the Pegasus spyware to gain access to mobile devices data without the victim knowing or needing to click on anything.”

“To protect privacy means the need to have good security and when security is broken it puts everyone at risk,” said Carson. “The balance of privacy is at risk more than ever and it looks like Apple have decided to defend and fight for privacy.”

“It is important to protect citizens as governments are here to serve and provide services for the citizens, not control which means governments must work together to limit safe havens for those who abuse citizens’ rights and when diplomacy fails it looks like Apple are now taking the legal action path,” Carson concluded.

Law enforcement

Another expert also noted the privacy challenge posed by firms such as NSO, but also pointed out that law enforcement agencies rely on its exploits to gather data on criminals.

“Apple is all about privacy, so when there is a company whose purpose is to find a backdoor into all of Apple’s products and devices, it is going to hurt,” said Jake Moore, cybersecurity specialist at ESET.

“Many people assume their devices are secure, and to the normal user, they are,” said Moore. “However, with some very sophisticated programming and a touch of social engineering, targeted victims could be struck with this infamous malware which can be extremely intrusive.”

“But the problem here is that the attackers using the software are not always cybercriminals trying to take to advantage of these impressive tactics,” Moore noted. “ Law enforcement agencies rely on such techniques to monitor threats and targets from afar with remarkable results.”

“Spyware is increasingly popular on both sides of the law and everyone should be aware of the tactics used,” said Moore. “Prevention such as using two separate phones may be extreme for most people, but high-profile potential victims need to be aware that their personal threat level may be heightened, as seen with politicians and other heads of state.”

“Apple may not make much headway in this case but it sends a message to the public that they are doing what they can to protect their users,” Moore concluded.