Apple Sues NSO Group for Installing iPhone Spyware

Israeli developers NSO Group are facing legal action from Apple in order to “curb the abuse of state-sponsored spyware” installed on iPhones and other networked gadgets. A press release on the Apple website explains:

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Apple say they make “the most secure mobile devices on the market” but will have been troubled by press coverage focusing on the exploitation of iPhone vulnerabilities by NSO Group spyware.

Apple’s legal complaint provides new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto.

The spyware was used to attack a small number of Apple users worldwide with dangerous malware and spyware. Apple’s lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.

NSO Group says they sell software to law enforcement agencies so it can be legally used to identify terrorists and pedophiles. However, there have been a string of revelations about their Pegasus spyware being used for reasons that fewer would approve of, such as the surveillance of journalists. Apple contends that NSO Group is leveraging the power of governments to win a ‘continual arms race’ by making it prohibitively expensive for a private sector business to secure the products they sell to consumers.

NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices.

The strength of Apple’s legal arguments is unclear. The customers of NSO Group are the same governments that decide what the law should be. When a government decides it must act to defend national security it will be difficult to stop them, or to receive compensation for abuses, even if the government is disobeying the rule of law. The NSO Group can argue they are not responsible for the ways their software has been abused by agencies who are nominally responsible for upholding the law. Nevertheless, Apple’s law suit, which is filed in the state of California, will argue that NSO Group technology invites the abuse of privacy.

[The] defendants are notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.

Some commentators have questioned whether Apple will succeed with claims that rely on the Computer Fraud and Abuse Act, a US law which dates back to 1986 and which prohibits unauthorized use of computers. The devices that were accessed were sold by Apple but do not belong to Apple any more, and NSO Group was given authorization by the law enforcement bodies that are their customers, begging several questions about why NSO Group should pay damages to Apple. In their legal filing, Apple asserts that they retain ownership of operating system software that they license to customers. They may have a stronger argument when they maintain that NSO Group has breached its contract with Apple. NSO Group created “more than one hundred” accounts for Apple’s cloud-based services, and so accepted the terms for using those accounts. The accounts were then used by NSO Group to distribute their spyware, which appears to be a straightforward violation of several clauses in the standard terms.

Sentiment will be in Apple’s favor following the decision of the Biden Administration to blacklist NSO Group since the beginning of November. This represented condemnation for both NSO Group and the Israeli government that allows them to operate. There are many examples of blacklisted companies, like Huawei, which are overseen by governments hostile to the USA, but this is a rare example of the US government blacklisting a company from an allied country. A statement from the US Department of Commerce justified the decision by stating NSO Group…

…developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers. These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.

It will be interesting to see which legal arguments prevail as Apple seeks to defend the reputation of its products against the growing public perception that any handset can be subverted by contract hackers like NSO Group. Whether Apple wins or not, there is increasing skepticism about governments playing by their own rules and respecting the privacy of law-abiding citizens. That means Apple is making a wise choice by signaling whose side they are on.

The full text of Apple’s legal complaint can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.