Apple is reportedly suing Pegasus spyware maker NSO Group. Along with promising new information about how NSO Group infected targeted iPhones via a zero-click exploit that researchers later dubbed ForcedEntry, Apple says it’s seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
Senior VP of software engineering Craig Federighi didn’t mention sideloading this time but says in a statement: “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change…Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous.”
Apple and WhatsApp aren’t alone in their push against NSO Group in court, as last year, tech companies including Microsoft and Google filed a brief supporting Facebook’s lawsuit.
In a press release Apple says: Pegasus spyware is designed to let governments remotely access a phone’s microphones, cameras, and other data on both iPhones and Androids. It’s also designed to be able to infect phones without requiring any action from the user and without leaving a trace, according to reports that came out earlier this year from a journalistic coalition called the Pegasus Project and Apple’s complaint.
Apple also cites reports that the spyware has been used against journalists, activists, and politicians, despite NSO’s claims that its governmental clients are forbidden from using the spyware against those sorts of targets. It’s understandable why Apple, the what happens on your iPhone, stays on your iPhone company, would be upset about its devices and services being used to carry out what it calls human rights abuses.
Apple’s senior director of commercial litigation Heather Grenier says in a statement to The New York Times the lawsuit is meant to be a stake in the ground, to send a clear signal that the company won’t allow its users to suffer this type of abuse. Part of Apple’s argument laid out in the complaint (PDF) is that NSO violated Apple’s terms of service because the group created more than one hundred Apple IDs to help it send data to targets.
The Court has personal jurisdiction over Defendants because, on information and belief, they created more than one hundred Apple IDs to carry out their attacks and also agreed to Apple’s iCloud Terms and Conditions (“iCloud Terms”), including a mandatory and enforceable forum selection and exclusive jurisdiction clause that constitutes express consent to the jurisdiction of this Court
In Apple’s complaint, it breaks down how the attack worked — using the Apple IDs it created, NSO would send data to a target via iMessage (after determining that they were using an iPhone), which was maliciously crafted to turn off the iPhone’s logging. That would then let NSO secretly install the Pegasus spyware and control what was being collected on the phone. Apple says that the specific vulnerability that NSO was using was patched in iOS 14.8, which you can read more about here. The summary is that NSO was sending files that exploited a bug in how iMessage rendered GIFs and PDFs.
Apple says in its press release that, thanks to improvements it’s made to iOS 15 security, it has not observed any evidence of successful remote attacks against devices running iOS 15 and later versions. When the Pegasus Project was publishing its reports in July, Amnesty International said that the latest versions of iOS (at the time iOS 14.6) were susceptible to attack.