In response to global reports about its mobile devices being hacked by sophisticated spyware, Apple has launched a lawsuit against one of the many companies developing such products.
Apple also announced a $10 million contribution to support cyber-surveillance investigators, such as those working at Citizen Lab, the cyber-research lab based at the University of Toronto.
Apple’s lawsuit is filed against the Israeli-based NSO Group, a subsidiary of Q Cyber Technologies. Apple says it want to hold the company accountable for the surveillance and targeting of its customers and device users.
While it is a strong stand Apple is taking in its lawsuit, NSO Group is but one of a growing number of private companies developing state-sponsored spyware tools that have become even more dangerous. NSO is also just one of the software developers being sued for alleged illegal tracking and surveillance of individual’s cellphones.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering.
NSO develops various cyber-capabilities for its client base, including what is called “highly sophisticated espionage software”. Code-named Pegasus, the software can be installed on a mobile device without the consent or even knowledge of a targeted user.
Then it acts almost like a remote control, allowing surreptitious access to functions and locations and communications on the targeted device, including iMessage, Gmail, Facebook, WhatsApp, Telegram and Skype. It can collect Wi-Fi passwords as well as audio and video.
Apple says the attacks are only aimed at a very small number of users but is quickly adds that the attacks impact people across multiple platforms, including iOS and Android. Researchers at Citizen Lab and elsewhere have documented the spyware being used to target journalists, activists, dissidents, academics and government officials.
Apple’s lawsuit provides new information on just how the NSO Group infected targeted devices with its Pegasus spyware, describing what is now a patched vulnerability in its devices. The so-called ‘zero click’ exploit (because the device owner does not need to do anything to enable the software, nor they could they prevent it) has been dubbed FORCEDENTRY, it was originally identified by Citizen Lab.
To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
Apple has commended groups like Citizen Lab and Amnesty Tech, which was involved in another lawsuit against NSO, for their work to identify cyber-surveillance abuses and help protect victims. To further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cyber-surveillance research and advocacy.
Apple will also support researchers at Citizen Lab (other organizations doing similar work) with pro-bono technical, threat intelligence, and engineering assistance to aid their independent research mission.
Citizen Lab researchers discovered the zero-day zero-click exploit against iMessage, which it said targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices. Forensic analysis of two iPhones belonging to a journalist at The New York Times who was targeted in 2018 by a Pegasus operator.
“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors,” said Ron Deibert, director of the Citizen Lab at the University of Toronto. “I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group’s reckless behaviour.”
Apple will also be sending warnings to owner of hacked devices.
“Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers,” explained the company in a statement. It also spelled out how users will be notified:
- A Threat Notification is displayed at the top of the page after the user signs into appleid.apple.com.
- Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.
Apple does warn that the system will not be perfect:
“State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected.”
The company added that it is unable to provide information about what causes threat notifications to be issued, as that could help attackers adapt their behaviour to evade detection in the future.