Now Apple has followed WhatsApp and its parent company Meta (formerly known as Facebook) in suing Pegasus spyware maker NSO Group. Along with promising new information about how NSO Group infected targeted iPhones via a zero-click exploit that researchers later dubbed ForcedEntry, Apple says it’s “seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.”
Apple: NSO agreed to the iCloud Terms of Service
Senior VP of software engineering Craig Federighi didn’t mention sideloading this time but says in a statement, “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change...Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous.” Apple and WhatsApp aren’t alone in their push against NSO Group in court, as last year, tech companies including Microsoft and Google filed a brief supporting Facebook’s lawsuit.
Pegasus spyware is designed to let governments remotely access a phone’s microphones, cameras, and other data on both iPhones and Androids, according to Apple’s press release. It’s also designed to be able to infect phones without requiring any action from the user and without leaving a trace, according to reports that came out earlier this year from a journalistic coalition called the Pegasus Project and Apple’s complaint.
Apple also cites reports that the spyware has been used against journalists, activists, and politicians, despite NSO’s claims that its governmental clients are forbidden from using the spyware against those sorts of targets. It’s understandable why Apple, the “what happens on your iPhone, stays on your iPhone” company, would be upset about its devices and services being used to carry out what it calls “human rights abuses.”
The lawsuit is a “stake in the ground” for Apple
Apple’s senior director of commercial litigation Heather Grenier says in a statement to The New York Times the lawsuit is meant to be a “stake in the ground, to send a clear signal” that the company won’t allow its users to suffer “this type of abuse.” Part of Apple’s argument laid out in the complaint (PDF) is that NSO violated Apple’s terms of service because the group created “more than one hundred” Apple IDs to help it send data to targets.
The Court has personal jurisdiction over Defendants because, on information and belief, they created more than one hundred Apple IDs to carry out their attacks and also agreed to Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory and enforceable forum selection and exclusive jurisdiction clause that constitutes express consent to the jurisdiction of this Court
In Apple’s complaint, it breaks down how the attack worked — using the Apple IDs it created, NSO would send data to a target via iMessage (after determining that they were using an iPhone), which was maliciously crafted to turn off the iPhone’s logging. That would then let NSO secretly install the Pegasus spyware and control what was being collected on the phone. Apple says that the specific vulnerability that NSO was using was patched in iOS 14.8, which you can read more about here. The summary is that NSO was sending files that exploited a bug in how iMessage rendered GIFs and PDFs.
Apple says in its press release that, thanks to improvements it’s made to iOS 15 security, it “has not observed any evidence of successful remote attacks against devices running iOS 15 and later versions.” When the Pegasus Project was publishing its reports in July, Amnesty International said that the latest versions of iOS (at the time iOS 14.6) were susceptible to attack.
For more information about the reporting done on Pegasus, its capabilities, and its potential targets, see our explainer.
In addition to its lawsuit against NSO, Apple says it’ll be supporting “organizations pursuing cybersurveillance research and advocacy,” both financially and with technical resources. The company says it’ll distribute $10 million (plus any damages it wins from its lawsuit) to groups working on counter-surveillance and pledges in its press release to give free “technical, threat intelligence, and engineering assistance” to Citizen Lab, a group of researchers that were involved with the Pegasus Project and that helped Apple discover and patch NSO’s exploits. Apple also says it’ll do the same for other organizations “where appropriate.”
NSO was recently added to the US Entity List, which limits the ways American companies can sell or provide their technology to the company. According to a report by the MIT Technology Review, the sanction has been seriously detrimental both to employee morale at NSO Group, and the company’s ability to do business. The report says the company has to request permission from the US government to purchase items like laptops running Windows and iPhones, and that the government has said its default decision would be to turn down those requests.
Updated November 23rd, 3:36PM ET: Added context about sanctions against NSO, and the alleged misuse of Pegasus.