Apple is suing an “abusive” Israeli software firm whose spyware has been used by numerous totalitarian governments to spy on journalists, human rights activists, and other persons of interest.
The technology giant this month filed a lawsuit against Tel Aviv firm NSO Group and its parent company, Q Cyber Technologies, seeking damages and a permanent ban preventing the group from using any Apple software, services, or devices.
As part of its campaign against NSO, Apple will fund and provide technical support for anti-surveillance technology groups.
The NSO’s use of FORCEDENTRY – a now-fixed vulnerability that can bypass security controls in Apple’s iOS operating system – enabled it to install Pegasus spyware on targetted iPhones without the victim’s knowledge.
Once installed, Pegasus monitors iPhone activity and communications over iMessage, FaceTime, and third-party software like Facebook and WhatsApp.
It is putatively designed to support law-enforcement agencies and the company claims to “hold ourselves to the highest standards for ethical businesses”, but its historical sales to governments such as Bahrain, Panama, Dubai, and Saudi Arabia – which used it to surveil Washington Post journalist Jamal Khashoggi before he was murdered – have drawn widespread condemnation.
In July, a major multinational investigation, called the Pegasus Project, united 16 media outlets to investigate NSO Group and found a list of 50,000 journalists and politicians targetted by its clients.
More recently, Pegasus was found on the devices of six Palestinian human-rights activists.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability,” said Apple senior vice president of software engineering Craig Federighi in announcing the lawsuit, which also seeks damages for “flagrant violations of US federal and state law”.
“Private companies developing state-sponsored spyware have become even more dangerous,” Federighi said, lauding the efforts of security researchers at the University of Toronto’s Citizen Lab – who discovered that the ‘zero-click’ Pegasus malware can be installed without any interaction, and that it seemed to have been in use since 2013, when iOS version 7 was the state of the art.
“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression,” Citizen Lab director Ron Deibert said as the Apple lawsuit was announced.
Apple also committed $10 million, plus any damages awarded, to support Citizen Lab and similar groups conducting ‘cybersurveillance research and advocacy’ – to which it will also lend pro-bono technical, threat intelligence, and engineering assistance.
Blood on their hands
The sophistication of Pegasus has highlighted the danger when nation-state sponsored technologies leak into the private sector – and stoked uncomfortable conversations within Israel’s fast-growing cyber security industry, in which many cyber security innovators were trained by a military complex well-versed in offensive cyber capabilities.
The Israel Defence Force (IDF) has long concentrated cyber security expertise in teams like its Unit 8200 signals-intelligence unit and red-teaming cyber unit, which actively develops and uses new methods to breach targets’ security.
This capability “is a cooperative state of mind that actually helped to construct one of the most critical capabilities to the State of Israel,” Reuven Aronashvilli, a former IDF red-team specialist who subsequently founded offensive cyber security firm CYE, told Information Age as the company expands into Australia.
“There are things you see at a government level, like the next zero-day or backdoor to one of the largest organisations worldwide, that might not be used on a commercial [target] because it’s too expensive,” Aronashvilli explained, “but those things usually come to the commercial world two to three years later than on the government side.”
“The capability that you have in government to attack any kind of organisation is almost unlimited.”
Apple’s lawsuit comes just weeks after the United States government added NSO Group and fellow Israeli spyware maker Candiru – seemingly named after a notorious parasitic fish – to its Bureau of Industry and Security (BIS) Entity List of ‘parties of concern’.
The list imposes strict restrictions on organisations whose activities are “contrary to US national security and/or foreign policy interests”.
“Investigative information has shown,” the BIS noted, “that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
Other firms added to the list in November included Russian company Positive Technologies and Singapore-based Computer Security Initiative Consultancy Pte Ltd.
Ultimately, punitive actions are intended to expose and stop “abusive state-sponsored actors like NSO Group,” said Ivan Krstić, head of Apple Security Engineering and Architecture.
“The steps we’re taking today will send a clear message that in a free society, it is unacceptable to weaponise powerful state-sponsored spyware against those who seek to make the world a better place.”