Apple has now joined WhatsApp and its parent company Meta (formerly known as Facebook) in suing NSO Group, the maker of Pegasus spyware. Apple says it’s “seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices,” along with promising new information about how NSO Group infected targeted iPhones via a zero-click exploit that researchers later dubbed ForcedEntry.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability,” says Senior Vice President of Software Engineering Craig Federighi in a statement.
Source: www.theverge.com
That must be changed… Apple products are the safest consumer electronics on the market, but private companies that create state-sponsored spyware have become even more dangerous.” Apple and WhatsApp aren’t alone in their legal battle with NSO Group; last year, Microsoft and Google joined Apple and WhatsApp in supporting Facebook’s lawsuit.
According to Apple’s press release, Pegasus spyware is designed to allow governments to remotely access a phone’s microphones, cameras, and other data on both iPhones and Androids. According to reports from a journalistic coalition called the Pegasus Project and Apple’s complaint from earlier this year, it’s also designed to infect phones without requiring any action from the user and without leaving a trace.
Forced Entry Exploit By NSO Group
Despite NSO’s claims that its governmental clients are prohibited from using the spyware against journalists, activists, and politicians, Apple cites reports that the spyware has been used against them. It’s understandable that Apple, the company that says “what happens on your iPhone, stays on your iPhone,” would be irritated by its devices and services being used to commit “human rights abuses.”
In a statement to The New York Times, Apple’s senior director of commercial litigation Heather Grenier says the lawsuit is a “stake in the ground” meant to send a “clear signal” that the company will not tolerate “this type of abuse.” Apple claims that NSO violated Apple’s terms of service by creating “more than one hundred” Apple IDs to help it send data to targets, according to the complaint (PDF).
The Court has personal jurisdiction over Defendants because, according to information and belief, they created over one hundred Apple IDs to carry out their attacks and also agreed to Apple’s iCloud Terms and Conditions (“iCloud Terms”), which include a mandatory and enforceable forum selection and exclusive jurisdiction clause that constitutes express consent to this Court’s jurisdiction.
Apple’s complaint explains how the attack worked: NSO would send data to a target via iMessage (after determining that they were using an iPhone) that was maliciously crafted to turn off the iPhone’s logging using the Apple IDs it created. This would allow NSO to install the Pegasus spyware invisibly and control the data collected on the phone. According to Apple, the vulnerability that NSO was exploiting was fixed in iOS 14.8, which you can learn more about here. In short, NSO was sending files that took advantage of a flaw in the way iMessage handled GIFs and PDFs.
“We have not observed any evidence of successful remote attacks against devices running iOS 15 and later versions,” Apple says in a press release, citing improvements to iOS 15 security. Amnesty International stated in July when the Pegasus Project released its reports, that the latest versions of iOS (at the time, iOS 14.6) were vulnerable to attack.
Apple’s Persistent Efforts to Protect Its Customers
A number of new security features are included in iOS 15, including significant improvements to the BlastDoor security mechanism. While the NSO Group spyware is still evolving, Apple has yet to see any evidence of successful remote attacks on iOS 15 and later devices. Apple encourages all iPhone users to update their devices and always use the most up-to-date software.
In addition to the lawsuit against NSO, Apple says it will financially and technically support “organizations pursuing cyber-surveillance research and advocacy.” Citizen Lab, a group of researchers who were involved with the Pegasus Project and helped Apple discover and patch NSO’s exploits, has pledged to give free “technical, threat intelligence, and engineering assistance” to Apple in exchange for $10 million (plus any damages it wins from its lawsuit). Apple also says that “where appropriate,” it will do the same for other organizations.
NSO was recently added to the US Entity List, limiting the ways in which American companies can sell or provide technology to NSO. According to a report by the MIT Technology Review, the sanction has had a significant negative impact on NSO Group’s employee morale as well as its ability to conduct business. According to the report, the company must obtain permission from the US government to purchase items such as Windows laptops and iPhones, and the government has stated that its default decision is to deny such requests.
