Apple is suing spyware developer NSO Group over allegations that it targeted Apple iPhone users and infected their devices with its Pegasus covert surveillance tool, and is seeking a permanent injunction to stop NSO from using any Apple software, services or devices.
The court action follows revelations that NSO sold Pegasus to governments that used it to target persons of interest, such as academics, activists, journalists, dissidents, government officials and political opponents.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice-president of software engineering.
“Apple devices are the most secure consumer hardware on the market – but private companies developing state-sponsored spyware have become even more dangerous. While these cyber security threats only impact a very small number of our customers, we take any attack on our users very seriously, and we are constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
Apple commended the efforts of groups such as Citizen Lab and Amnesty Tech – both of which played a significant role in exposing NSO’s customers’ activities – for their work in identifying cyber surveillance abuse and protecting victims, and is undertaking to donate $10m to support organisations pursuing such work, as well as any damages it may receive if its action succeeds. It is also offering pro-bono technical support, threat intel and engineering assistance to Citizen Lab’s research mission.
“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors,” said Ron Deibert, director of the Citizen Lab at the University of Toronto.
“I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimised by NSO Group’s reckless behaviour.”
Israel-based NSO Group continues to insist that its products are used for lawful surveillance of terrorists and other criminals, and that it carefully vets its customers.
However, since the scale of abuse of its product emerged over the summer, the organisation has come under increasing pressure, culminating in its blacklisting by the US government, while its new CEO, Itzik Benbenisti, decided to cut his losses and make a hurried exit barely two weeks after his appointment.
The company’s investors are also now running scared. Last week it emerged that some of its creditors – including asset management firms such as BlackRock – were working with law firms over their next steps. According to the Financial Times, the investors are trying to end their association with NSO by selling off their loans, but found nobody willing to take on the debt.
Earlier this week, credit ratings organisation Moody’s downgraded NSO’s corporate rating from B3 to Caa2 with a negative outlook, which it said reflected the company’s weakening liquidity profile, increasing risk, and a growing possibility that NSO will default on loans of about $500m.
Moody’s also noted that the allegations against NSO over the inappropriate use of its software, and the US ban, raised concerns for the agency over its control mechanisms and sales approach.
In its legal complaint, Apple also shared new information on the ForcedEntry exploit developed by NSO to break into its devices and infect them with Pegasus.
ForcedEntry – which was patched in September following its discovery by Citizen Lab during analysis of a Saudi activist’s smartphone – is tracked as CVE-2021-30860. It is an integer overflow vulnerability in the Apple CoreGraphics image rendering library.
Apple said NSO and its clients used ForcedEntry to attack its users with Pegasus using the “immense resources and capabilities of nation states”.
To exploit it, the attackers created Apple IDs to send data to their target’s device in the form of a maliciously crafted PDF file. The exploit enabled them to install Pegasus and gain control of the device’s microphone and camera, and to access sensitive data without the victim’s knowledge. Apple’s own servers were not attacked or compromised, so the majority of iPhone users have nothing to be concerned about.
Apple said it was constantly investing in its privacy and security protections, and that the most recent version 15 of iOS includes significant security upgrades, in particular to its BlastDoor security mechanism. It has not seen any evidence of successful Pegasus attacks on any iOS devices running version 15 or later.
“At Apple, we are always working to defend our users against even the most complex cyber attacks,” said Ivan Krstić, head of Apple security engineering and architecture. “The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponise powerful state-sponsored spyware against those who seek to make the world a better place.
“Our threat intelligence and engineering teams work around the clock to analyse new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”