“Amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse”. That is the description given by the Plaintiff Apple in a lawsuit filed against defendants NSO Group Technologies and Q Cyber Technologies (whom NSO is a subsidiary of) last month in the Northern District of California, United States District Court.
Malware and Spyware Targeting Apple Products
The plaintiff Apple contends the defendants are a company that produces malware and spyware specifically intended to be used against Apple products. Just 20 days before the lawsuit, the Commerce Department’s Bureau of Industry and Security and added NSO to the entity list of “companies engaging in activities that are contrary to the national security or foreign policy interests of the United States”. The effect of this is a ban on the company from buying software or hardware from the United States without a license, which given the tone and tenure of the press release, will be very difficult to secure. The company being headquartered in Israel, one of the United States’ allies, complicates this ban as it could strain relations between the two countries. To add to the awkwardness a bit more, NSO has collaborated with another subsidiary of Q Cyber, WestBridge Technologies, to operate in the United States.
NSO Hit WhatsApp
NSO has been in the news for several years, criticized by both various international government and media sources for selling hacking and spying tools to countries with poor human rights records who lack fairness in their rule of law. NSO has been also criticized for providing large amounts of technical support to its customers. Facebook, in 2019, filed lawsuit against NSO, alleging spyware delivered through their WhatsApp messaging software, infected user’s phones. The suit is still ongoing and the 9th Circuit recently ruled NSO and Q Cyber are not entitled to sovereign immunity under federal law, subjecting them to jurisdiction in the United States on matters such as this. Perhaps, that is why Apple decided to file suit two weeks after that decision? Or, maybe as in the Facebook lawsuit against the web scraper from Ukraine recently, they are trying to get ahead of their own legal liability, which is a strategically astute move.
Pegasus is NSO’s Signature Spyware
The headline spyware NSO has developed is known as Pegasus, which NSO describes as a “cyber intelligence solution that enables [clients] … to remotely and covertly extract valuable intelligence from virtually any mobile device.” Their exploits have become so advanced, research done on them show that no action (such as clicking on a malicious link) is necessary for intrusion into the victim’s device.
The Apple lawsuit contends that NSO has violated by federal (Consumer Fraud and Abuse Act) and state (California Business Codes) law, as well as user agreements for creating numerous Apple IDs on various IoS devices and iCloud. Apple is asking for an injunction against NSO to stop developing products that can target IoS devices. While NSO has not specifically filed an answer (as the date of this writing), in the past, they have lauded their products as highly productive tools for law enforcement and legal, authorized investigations.
Have an iPhone and Work for the Federal Government?
For those of you who work for the federal government and don’t think NSO software will find its way onto your devices (NSO has said Pegasus can’t be used against iOS phones in the United States), consider this sobering development: 11 U.S. State Department Officials were notified by Apple recently that the Pegasus exploit was found on their phones. How it made its way on government phone’s is not absolutely clear at this time, but my limited research shows it may have something to do with foreign phone numbers used in communication.
For a fascinating interactive website dedicated to the security and human rights risks posed by Pegasus, the reader may want to check out the Pegasus Project.