Apple announced Tuesday that it has sued Israel-based NSO Group over the use of its Pegasus spyware to attack Apple devices, the latest move in an escalating global campaign to curb surveillance abuses against smartphone users.
The NSO Group has repeatedly denied the conclusions of the Pegasus Project but also has been buffeted by a series of government and other actions fueled by the consortium’s findings, including a U.S. government decision earlier this month to blacklist the company.
NSO’s “notorious hackers” are “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse,” Apple claims in the lawsuit, which was filed in federal court in the Northern District of California.
NSO long has defended itself by saying spyware is essential to combating crime and terrorism in a world in which most communications are encrypted, making traditional wiretapping all but impossible. Breaking into a particular device, by contrast, allows police and spies to monitor the activities of individuals it is targeting — even when they use WhatsApp, Signal or other encrypted communications tools. The company has said it licenses Pegasus to dozens of military, intelligence and law enforcement agencies around the world but not before vetting its clients.
“Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers,” NSO spokesman Oded Hershkovitz said in a statement Tuesday. “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments the lawful tools to fight it. NSO group will continue to advocate for the truth.”
Apple’s legal move follows a similar lawsuit by the Facebook-owned messaging service WhatsApp in 2019 that accused NSO of targeting 1,400 of its users with spyware. A U.S. appeals court ruled this month that the suit can proceed.
Those seeking to curb the use of spyware praised the growing use of lawsuits and other legal tools to combat NSO and similar companies, calling such moves key to challenging an industry capable of developing a seemingly endless number of new ways to attack phones and other computerized devices. It’s a cat-and-mouse game that defenders — even at giant technology companies — are doomed to lose given the sprawling and ever-changing nature of software, experts say.
“You’re never going to get rid of all of the exploits,” said Johns Hopkins security researcher Matthew D. Green, using a common term for the software weaknesses exploited by hackers. He said lawsuits make it harder for companies like NSO Group to make big profits. “When companies like Apple turn on NSO and make it so that [surveillance] is not a profitable activity anymore, that’s a good thing.”
In announcing its lawsuit, Apple singled out a particular attack on iPhones called FORCEDENTRY that had been discovered by researchers for Citizen Lab, a technology research group at the University of Toronto that has long worked to detail abuses of Pegasus. Apple released a patch for the vulnerability shortly after Citizen Lab reported it to the company in September.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” Craig Federighi, Apple’s senior vice president of software engineering, said in a blog post announcing the lawsuit.
“Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous,” he wrote. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
Among the findings of the Pegasus Project was that iPhones, despite their reputation for strong security compared with some other smartphones, had weaknesses that the NSO Group had learned to exploit to deliver spyware to the phones of targets.
In some cases NSO customers delivered Pegasus in such a stealthy way that users got no alert and needed to take no action in order for an infection to begin on their devices. Such “zero-click attacks” were an advance over previous generations that relied on users clicking on malicious links in text messages or other communication on their devices.
Once inside, Pegasus turned smartphones into sophisticated spying devices, revealing their locations, communications, pictures and other information. Pegasus, which also can be used to target Android devices, can activate microphones and cameras without users knowing.
The lawsuit accuses NSO of enabling customers to target U.S. citizens, despite the company’s pledge that its spyware “cannot be used to conduct cybersurveillance within the United States.”
Apple also said it was donating $10 million to support cybersecurity researchers and advocates against spyware. The company also said in its blog post that it had made recent improvements in its latest mobile operating system, iOS 15, and in particular to its Blast Door feature that’s intended to defend against malware, including Pegasus. It also is notifying users successfully attacked using the FORCEDENTRY exploit.
But by taking the fight to federal court, Apple has signaled that it is moving beyond technical approaches to combating spyware to challenging the companies that make such hacking easy to execute, even for governments without advanced technological abilities.
“What Apple has done … is putting NSO’s business model into the toxic category for all but the most unscrupulous investors,” said John Scott-Railton, a senior researcher at Citizen Lab.
Apple is suing under the Computer Fraud and Abuse Act, which was enacted in 1986, long before anyone imagined the interconnected world of mobile computing that now dominates everything from commerce to pop culture.
Legal experts say it’s still unclear whether the law, which prohibits anyone from “intentionally accessing a computer without authorization,” applies to companies like NSO Group. The company has argued in other lawsuits, including the one filed by WhatsApp, that it does not.
“It’s something that is sort of cutting-edge when it comes to computer law,” said Tor Ekeland, a defense attorney who often represents clients accused of hacking offenses.
Apple also attempts to thread a legal needle, acknowledging that Apple itself wasn’t the target of the hacks, but that it was still victimized because NSO abused “Apple services and servers to perpetrate attacks on Apple’s users and data stored on users’ devices.” That may be an overreach, said Orin Kerr, a University of California, Berkeley professor who focuses on computer crime law. “Suing a company based on hacking somebody else’s computer is pretty novel,” he said.
The legal complaint argues that the federal court in Northern California has jurisdiction in the case because NSO allegedly “created more than one hundred Apple IDs to carry out their attacks and also agreed to Apple’s iCloud Terms and Conditions (‘iCloud Terms’), including a mandatory and enforceable forum selection and exclusive jurisdiction clause that constitutes express consent to the jurisdiction of this Court.” Apple is based in Cupertino, Calif.
NSO has suffered a series of devastating blows in the months since the Pegasus Project investigation. This month, after the Commerce Department added the company to its red-flagged “entity list,” NSO’s new chief executive announced his resignation after only two weeks in the role. The U.S. government action has been seen as a Biden administration rebuke to the Israeli government, which approves all NSO Group exports — essentially dictating which countries can use Pegasus — but failed to prevent the abuses detailed in the Pegasus Project.
The company also faces significant financial peril. The credit rating agency Moody’s downgraded the company Monday, saying it faced an “increased risk” of default on hundreds of millions of dollars in debt.
In recent months, an internal investigation discovered traces of Pegasus spyware in the phones of five French cabinet ministers. And in the United Kingdom, a High Court judgment last month confirmed that the phones of Princess Haya, the ex-wife of Dubai’s ruler, as well as those of her legal and security advisers had been targeted with a Pegasus hack.
The White House raised concerns about NSO’s spyware to the Israeli government in July. Beyond the Commerce Department’s blacklist, members of Congress have also pushed for more severe financial sanctions and other measures to combat the spyware’s abuse.