Apple has punched back against the “amoral” surveillance as a service industry of smartphone snoopers, filing suit against the NSO Group and its owner, Q Cyber Technologies, and taking steps to further secure digital lives.
Why this should matter to your business
Israeli firm NSO Group is a spyware firm that provides surveillance services to governments. It effectively privatizes state-sponsored snooping and enables even the most repressive government to outsource such tasks. It has been widely reported that software from NSO Group was used to target family members of murdered Saudi journalist Jamal Khashoggi.
These attacks are expensive and aimed at a very small number of people.
The problem is that some governments also use the technology to spy on journalists, political opponents — even businesses.
It’s that last part that may be of most importance, particularly (but not exclusively) to larger enterprises working on highly confidential matters. No business user should approve of unconstrained use of technologies of this kind as they undermine trust and enable disgraceful attempts at business sabotage.
In what could be seen as an ironic representation of that truth, it is interesting that NSO Group has never published a complete list of its clients.
Apple’s extensive litigation, described in more detail below, is an attempt to require NSO Group to reveal who it was working for and what data it obtained for those clients. If it succeeds, this will bring some instances of egregious surveillance into the light, where the consequences can be judged by all.
What is Apple saying?
Apple’s complaint against NSO Group pulls no punches:
“Defendants are notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”
The litigation observes that the US government has sanctioned the company, and seeks redress at every available level, including breach of the terms of use we all agree to every time we use a product.
It also points out that NSO has admitted the attacks it sells for profit have led to violations of fundamental human rights.
What NSO Group had to say
In a very brief statement, NSO Group said:
“NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.
“We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.”
Apple security chief weighs in
Ivan Krstić, head of Apple Security Engineering and Architecture, doesn’t agree:
“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place.”
“Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”
How Apple threat notifications work
Moving forward, Apple says it will notify users if its security teams spot activity consistent with a state-sponsored attack being made against them.
While most people won’t be impacted by such larcenies (in part because these attacks are expensive), they may be visible against certain individuals, such as journalists, politicians, industry leaders, strategically important business leaders, NGOs, and others. It really just depends if a government somewhere is willing to pay to surveil.
If Apple discovers activity consistent with a state-sponsored attack, it will send an affected user an email, an iMessage, and place a notification on the Apple ID page. It states:
- A Threat Notification is displayed at the top of the page after the user signs into appleid.apple.com.
- Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.
The notification will also suggest additional steps that can be taken to help protect the targeted person. Apple concedes such attacks are highly sophisticated and evolve over time, which means threat intelligence signals may sometimes yield false positives and that some attacks may not be detected.
- Apple threat notifications will never ask you to click any links, open files, install apps or profiles, or provide your Apple ID password or verification code by email or on the phone.
- To verify that an Apple threat notification is genuine, sign in to appleid.apple.com.
- If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in.
Basic security steps everyone should take
Human nature remains both the best and the worst line of defense. We live in a world in which everyone knows hacks happen, but “123456,” “password,” and “12345” continue to be the top three most commonly used passwords in the US.
While I imagine most business owners and employees understand the need to display more security intelligence than that, it’s not reassuring that even today so many people don’t. And while you can argue in the context of state-sponsored attacks that a person’s password is unlikely to provide all the defense you need, it does provide some protection.
In addition, while you may be highly secure, your close relative may not be — and their vulnerability represents an attack surface hackers can and do use en route to undermining your security. Like coronavirus, in this connected world no one is safe until everyone is safe.
Apple has published the following best practice recommendations:
- Update devices to the latest software, which includes the latest security fixes.
- Protect devices with a passcode.
- Use two-factor authentication and a strong password for Apple ID.
- Install apps from the App Store.
- Use strong and unique passwords online.
- Don’t click on links or attachments from unknown senders.
What claims for relief has Apple made?
Apple has made four claims for relief against NSO Group under the following counts:
- Violations of Computer Fraud and Abuse Act;
- Violations of California Business and Professions Code § 17200;
- Breach Of Contract (specifically around iCloud Terms of use);
- Unjust Enrichment (as an alternative to the third count).
What does Apple want?
Apple seeks numerous injunctions and financial penalties to punish NSO Group and also provide insight into who its clients are and whose data they obtained.
These include:
- A permanent injunction to stop NSO Group from accessing and using any Apple servers, devices, hardware, software, applications, other Apple products or services.
- A permanent injunction requiring NSO Group to identify the location of any and all information obtained from any Apple users’ Apple devices, hardware, software, applications, or other Apple products.
- That all such data is deleted and that any and all entities with whom Defendants shared such information be identified.
- An injunction to prevent NSO from developing, distributing, using, causing to be developed, or enabling use of spyware, malware and so on against any Apple hardware, software or services without consent.
- Damages in compensation.
- Punitive damages.
- An accounting and disgorgement of profits made as a result of these acts.
- Any additional relief the court sees as appropriate.
What about the security researchers?
Apple paid tribute to the independent security teams that have been investigating the work NSO Group does. The company is offering much more than lip service. It is contributing $10 million to support cybersurveillance researchers and advocates and says any compensation received as a result of the NSO litigation will be poured into the same pot.
In other words, Apple is prepared to flex its legal muscle to take on an international organization accused of human rights abuses against its customers, and is also very happy to invest in research it thinks may be able to help protect customers against such acts.
Apple will also support what it called the “accomplished” researchers at the Citizen Lab with pro-bono technical, threat intelligence, and engineering assistance. Where appropriate, it will offer the same assistance to other organizations doing critical work in this space.
What Apple says about NSO Group attacks
Apple also shared new information on NSO Group’s FORCEDENTRY exploit used to break into a victim’s Apple device to install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto.
To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device. These allowed NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. While Apple’s servers were misused during the process, the company’s servers were not hacked or compromised.
I’m pleased to see Apple take this action and I hope its litigation against NSO succeeds.
While NSO argues that it acts within the law and has vigorous protections in place, it seems appropriate that it should be forced to prove this to be true. After all, Amnesty International has identified at least 180 journalists around the world who have been attacked by Pegasus, which suggests the tech has in fact been abused.
As Apple CEO Tim Cook warned in 2018:
“We see vividly — painfully — how technology can harm rather than help. Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies. Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false.”
I continue to believe tools such as those provided by NSO or mandated security back doors into products will enable more criminal and terrorist activity than they prevent.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2021 IDG Communications, Inc.