“In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” Apple’s head of Security Engineering and Architecture Ivan Krstić said as the company filed a lawsuit against Israel-based NSO Group and its parent company for the surveillance and targeting of Apple users with the Pegasus spyware.
In its lawsuit, Apple sought a permanent injunction to ban NSO Group from using any Apple software, services, or devices, and for the company to delete all information it collected from Apple users.
The NSO Group has always maintained that it only sells Pegasus, which allows full remote surveillance of the targets’ phones, to governments for national security purposes. But earlier in July, an international consortium of media organisations revealed that political leaders, journalists, human rights activists, businessmen, military officials, intelligence agency officials, and several others were targeted by the Pegasus spyware.
While Pegasus was used to target both iPhones and Android devices, researchers were able to find more evidence of the spyware on iPhones because of the auditable logs that iOS maintains, Amnesty International’s Security Lab, which analysed many of the targeted phones, said.
What does Apple argue in its lawsuit?
A. Apple provides market-leading security to its users
- iPhone are highly personal devices and Apple keeps it as secure as possible: “Apple designed iPhone with the knowledge and intention that it would be a highly personal device” and “accordingly, Apple invested a massive amount in researching and developing industry-leading security protections that would make iPhone as secure as possible,” the lawsuit reads.
- Examples of the high security standards: Apple cited example of security features like BlastDoor, secure boot, Secure Enclave to illustrate that the iPhone has high security standards. The company also explained that it provides “multiple layers of protection to help ensure that the third-party apps that run on its operating systems are free of known malware and have not been tampered with.”
- iPhone safer than Android: “Experts agree that iPhone and iOS are safer and more secure than the competition. An estimated 98 percent of mobile malware targets Android devices, rather than iPhone,” the lawsuit claims.
- Very few exceptional malware attacks are successful: Apple argued that because of its high security only “very few truly exceptional malware attacks” on Apple devices are successful and that these attacks are carried out by “highly sophisticated parties with extraordinary resources and capabilities” such as nation-states and companies that do business with them.
B. NSO’s exploits target and attack Apple, Apple Devices, and Apple Users
- What can Pegasus do? NSO describes Pegasus as a “cyber intelligence solution that enables [clients] … to remotely and covertly extract valuable intelligence from virtually any mobile device,” Apple’s lawsuit states. Pegasus is remotely installed on a device through fraud or deception and NSO and its clients can then issue commands to remotely surveil the device owners activities and communications and to steal and transmit an owners’ personal data, Apple explains. “Pegasus can record using a device’s microphone and camera, track the phone’s location data, and collect emails, text messages, browsing history, and a host of other information accessible through the device,” Apple said.
- Preventing crime is not the only use case: “While Defendants claim that their technology helps prevent crime, the U.S. Government’s addition of NSO to the Entity List makes clear that laudable uses of this technology are not the only ones that NSO permits. […] Defendants conceal the enormous amounts of money they make from it and the despicable ways it is put to use,” Apple claimed.
- Who was targeted by Pegasus? Citing Wall Street Journal’s reports from July, Apple said that the NSO and its clients deployed Pegasus to “surveil scores of individuals, including journalists, human rights activists, government officials, and dissidents across more than 50 countries.”
- NSO must have used Apple devices and services to develop spyware: NSO Group must have studied Apple systems to discern new ways to attack Apple devices and must have used Apple devices, created Apple ID accounts, and agreed to the iCloud Terms in furtherance of this effort, Apple argued.
- NSO used FORCEDENTRY exploit to install spyware: From February to September 2021, NSO deployed Pegasus on iPhones using an exploit that University of Toronto-based Citizen Lab found and named FORCEDENTRY. This exploit allowed NSO to install the spyware on target devices without any action or awareness from the user because it is a “zero-click” exploit, Apple explained.
- NSO used Apple IDs and iMessage to deliver spyware: NSO created more than one hundred Apple IDs to use in their deployment of FORCEDENTRY. NSO used these Apple IDs to contact Apple servers in the United States and abroad to identify other Apple devices. Then it would send the abusive data to the target phone through Apple’s iMessage service, which disabled logging on a targeted Apple device and allowed NSO to “surreptitiously deliver the Pegasus payload via a larger file,” Apple explained. Though misused to deliver Pegasus, Apple servers were not hacked or compromised in the attacks, the company clarified.
- NSO provides consulting services to its clients: After Pegasus is installed on the target device, it would allow the operator to issue commands to the device. NSO Group provides “consulting and expert services to their clients, assist them with their deployment and use of Pegasus, and participate in their attacks on Apple devices, servers, and users,” Apple alleges.
- NSO’s activities are highly lucrative: “NSO reportedly has revenue and earnings in the hundreds of millions of dollars from its spyware products and services […] and it has asked for fees in excess of one hundred million dollars for a single license and charges tens of millions of dollars per customer for its products and services,” Apple claims.
C. NSO’s actions have injured Apple and its users
- Pegasus harms Apple’s goodwill, products, and users: NSO’s Pegasus and other spyware causes “harm to Apple’s goodwill, products and property, as well as Apple users’ products and property,” the company states.
- NSO actions force Apple to incur costs and devote resources: NSO’s actions “injured, harmed, and caused damages to Apple by forcing it to incur costs and to devote personnel, resources, and time to identifying and investigating the attacks and exploits; developing and deploying security patches and software upgrades; communicating with Apple personnel and users regarding such attacks, exploits, patches, and upgrades; increasing security measures to detect and prevent future attacks; and assessing and responding to legal exposure,” the lawsuit states. As an example, Apple stated how its employees had to work thousands of hours to fix the FORCEDENTRY exploit. Apple also has been spending time and resources responding to government inquiries concerning the attacks, the company added.
- NSO forces Apple to engage in a continual arms race: Even as Apple develops solutions for exploits, NSO constantly updates its exploits to overcome them. “These constant recovery and prevention efforts require significant resources and impose huge costs on Apple,” the company stated. “Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial,” the lawsuit claims.
On what counts?
- Violations of Computer Fraud and Abuse Act: Apple argues that NSO accessed Apple devices without authorisation and obtained valuable user data, used information from Apple’s servers to install highly invasive spyware, and caused damage to Apple and its users, all in violation of various sections the Computer Fraud and Abuse Act.
- Violations of California Business and Professions: Apple alleged that the actions described above constitute unlawful acts or practices in the conduct of business, in violation of California’s Business and Professions Code Section 17200.
- Breach Of Contract: Apple argued that NSO Group created multiple iCloud accounts and in doing so agreed to iCloud Terms, but its actions have breached various provisions of the terms.
- Unjust Enrichment: Apple alleges that NSO “received a benefit by profiting from the personal data they wrongfully obtained from Apple’s users’ devices through the improper use of Apple’s servers” and that the benefit came from Apple’s expense since it “lost money and property in the form of, among other things, costs to investigate, remediate, and prevent Defendants’ wrongdoing, and has suffered injury to its reputation, public trust, and goodwill.”
What is Apple seeking?
In its prayer for relief, Apple has requested judgement against NSO as follows:
- Injunction from using Apple products and services: A permanent injunction restraining Defendants from accessing and using any Apple servers, devices, hardware, software, applications, or other Apple products or services
- Injection to identify the location of all information obtained from Apple users: A permanent injunction requiring Defendants to identify the location of any and all information obtained from any Apple users’ Apple devices, hardware, software, applications, or other Apple products—and to delete all such information, and to identify any and all entities with whom Defendants shared such information
- Injunction restraining NSO from making spyware for Apple devices: A permanent injunction restraining Defendants from developing, distributing, using, and/or causing or enabling others to use any spyware, malware or other malicious devices on Apple devices, hardware, software, applications, or other Apple products or services without Apple’s (and, if applicable, the relevant Apple user’s) consent.
- Compensatory damages in an amount to be proven at trial
- Punitive damages
- Account of profits derived: An accounting of each Defendant’s profits resulting from the conduct alleged above;
- Disgorgement of Defendants’ profits resulting from the conduct alleged above;
- Any other such further relief as this Court deems just and proper.
What else did Apple say?
- Apple will contribute $10 million to cybersurveillance research: Commending groups like Citizen Lab and AmnestyTech for their work to identify cybersurveillance abuses and help protect victims, Apple said that it will contribute $10 million, as well as any money gained from the lawsuit to organisations pursuing cybersurveillance research and advocacy.
- Apple will help researchers pro-bono: Apple said it will support the researchers at the Citizen Lab “with pro-bono technical, threat intelligence, and engineering assistance to aid their independent research mission, and where appropriate, will offer the same assistance to other organizations doing critical work in this space.”
“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors. I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group’s reckless behavior.” – Ron Deibert, director of the Citizen Lab at the University of Toronto.
- Will notify users targeted by state-sponsored spyware attack: Apple said it is notifying the small number of users that may have been targeted by FORCEDENTRY and that any time the company discovers activity consistent with a state-sponsored spyware attack, it will notify the affected users in accordance with best industry practices.
- Upgrade to iOS 15: Apple also used the announcement to point out that iOS 15 includes a number of security protections that NSO has not exploited yet or at least that Apple has not observed of any such instances, and urged users to update their iPhones.
WhatsApp has filed a lawsuit against NSO as well
Apple is not alone in suing the NSO Group. Facebook in 2019 filed a lawsuit against NSO for exploiting a since-then fixed vulnerability in WhatsApp that allowed attackers to plant spyware in users’ phones just by ringing their target’s device.
However, NSO Group argued that the lawsuit should not be allowed as the company enjoys “sovereign immunity” because of the status of the governments to whom they sell their products and services. But a US Court on November 9 dismissed the NSO Group’s immunity claims and allowed Facebook’s lawsuit to proceed. Other high-profile tech companies including Microsoft and Google have filed an amicus brief in support of this lawsuit.
In response to Apple’s lawsuit, WhatsApp CEO Will Cathcart tweeted:
Very glad to see Apple join the effort to hold spyware companies accountable. We’ve long called for industry action against NSO and today’s lawsuit shows that technology providers are united in fighting spyware and ensuring more security for our users.
How will this lawsuit impact NSO Group?
In a Twitter thread, John Scott-Railton, Senior Researcher at Citizen Lab, lays out why this lawsuit is a “massive blow to the company notorious for selling spyware to dictators.”
11/ It would take a huge internal effort for a massive company to undertake any one of these:
✔Civil society support.@apple did it all at once.
There are unsung heroes in this story.
— John Scott-Railton (@jsrailton) November 23, 2021
What is happening in India after the Pegasus revelations?
While India has long been suspected of being a Pegasus buyer, the scale and nature of surveillance it has embarked upon, and the targets it seems to have picked, don’t appear to indicate national security concerns, but rather surveillance of those who are critical of the government.
The Supreme Court in October constituted an expert committee to investigate the usage of Pegasus by the Government of India against its own citizens. Citing national security concerns “does not mean that the state gets a free pass,” the court said.
In response to Apple’s lawsuit, M.K. Venu, founding editor of The Wire, whose phone was infected by the spyware, tweeted:
“If Apple, which is suing NSO, publicly shares its own researched findings before the California court on how Pegasus breached its operating system, it could help both SC committee and Lokur Commission understand how the spyware worked in India and elsewhere!”
- “Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.” – Lawsuit
- “NSO is the antithesis of what Apple represents in terms of security and privacy. While Apple creates products to serve and protect its users, NSO targets and attempts to exploit those products to harm Apple and its users.” – Lawsuit
- “NSO’s products are not ordinary consumer malware. NSO has no interest in serving up annoying pop-up ads or even spoofing your bank in order to siphon money from your checking account. NSO’s products are far more insidious and often highly sophisticated. […] Average consumers are not of interest to or attacked by NSO or its customers.” – Lawsuit
- “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change.” – Craig Federighi, Apple’s senior vice president of Software Engineering.
- Supreme Court Appoints Committee To Investigate Pegasus In India; “State Does Not Get A Free Pass”
- NSO Group Loses Legal Battle To Stop WhatsApp’s Pegasus Lawsuit In Its Tracks
- Dubai’s Ruler Used Pegasus Spyware To Spy On His Ex-Wife Haya, Confirms UK’s High Court
- UN Human Rights Council Faces Pressure To Denounce And Investigate Pegasus Surveillance
Have something to add? Post your comment and gift someone a MediaNama subscription.