Apple CEO Tim Cook delivers the keynote address during the 2020 Apple Worldwide Developers Conference (WWDC) at Steve Jobs Theater in Cupertino, California.
Brooks Kraft/Apple Inc/Handout via Reuters
Apple on Tuesday sued NSO Group, an Israeli firm that sells software to government agencies and law enforcement that enables them to hack iPhones and read the data on them, including messages and other communications.
Earlier this year, Amnesty International said it discovered recent-model iPhones belonging to journalists and human rights lawyers that had been infected with NSO Group malware called Pegasus.
Apple is seeking a permanent injunction to ban NSO Group from using Apple software, services, or devices. It’s also seeking damages over $75,000.
Apple considers the lawsuit to be a warning to other spyware vendors. “The steps Apple is taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against innocent users and those who seek to make the world a better place,” said Ivan Krstic, Apple’s head of security engineering and architecture, in a tweet.
NSO Group software permits “attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO’s customers,” Apple said in the lawsuit filed in federal court in the Northern District of California, saying that it is not “ordinary consumer malware.”
Apple also said on Tuesday it has patched the flaws that enabled the NSO Group software to access private data on iPhones using “zero-click” attacks where the malware is delivered through a text message and leaves little trace of infection.
Pegasus’ users can remotely surveil the iPhone owner’s activities, collect emails, text messages and browsing history, and access the device’s microphone and camera, Apple alleged in its lawsuit.
Apple said the attacks were only targeted at a small number of customers, and said on Tuesday it will inform iPhone users that may have been targeted by Pegasus malware.
“To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge,” Apple said in its announcement. “Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.”
The NSO Group created Apple ID accounts and violated the iCloud terms of service to operate its spyware, Apple said.
NSO Group is accused of using “0day” bugs to create its spyware, or flaws that Apple has not yet fixed. Once Apple fixes an exploit, it’s no longer a 0day and users can protect themselves by updating their iPhone software.
Earlier this year, Amnesty International said that it found evidence of a hacked iPhone 12 and had obtained a leaked list of 50,000 phone numbers targeted by NSO Group software. NSO Group software is alleged to have been used to monitor relatives and people close to Jamal Khashoggi, a Washington Post columnist who was killed in Turkey by assassins working on behalf of Saudi Arabia.
Amnesty International also said it discovered NSO Group malware on the iPhones of a French human rights lawyer, a French activist, an Indian journalist and a Rwandan activist.
The U.S. Commerce Department blacklisted NSO Group earlier this month, prohibiting it from using American technology in its operations. Meta, formerly known as Facebook, subsidiary WhatsApp is also separately suing NSO Group.
Apple said it would donate $10 million as well as any damages from the lawsuit to organizations focusing on fighting digital surveillance.
NSO Group was not immediately available for comment. Earlier this year, a spokesperson said NSO sells its technology to law enforcement and intelligence agencies to prevent crime and terror acts, and that it vets its customers.