Wednesday, November 24, 2021

Apple Sues NSO Group

Apple (PDF, Hacker News, Reddit):

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Nicole Perlroth:

The lawsuit is the second of its kind — Facebook sued the NSO Group in 2019 for targeting its WhatsApp users — and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.


The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

John Gruber:

Apple repeatedly refers to the “FORCEDENTRY” exploit by name. This is not PR bullshit — they’re talking about a very specific exploit. Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it. The message here: “This isn’t just about us, NSO Group is after everyone.”

John Gruber:

I genuinely wonder what Apple’s goals are with this suit. Is it just to bring NSO Group’s activities to light? If this goes to trial, the testimony should really be something to see. How much in damages will Apple seek at trial? Enough to bankrupt NSO Group?

Jason Snell:

Say what you will about Apple’s policies regarding bug bounties and other security issues—the company is capable of spending a nearly infinite amount of money on lawyers who will try to make NSO Group’s existence painful for a very long time.

Maxwell Swadling:

are you taking any steps to improve platform security processes to prevent what happened over the last 2 years? Such as addressing security disclosures quicker, opening up the security researcher program or catching more issues internally that project zero picks up externally?

Stefan Esser:

NSO has managed what a lot of legitimate security researchers have been unable to do: make people see the security of iPhones in a more realistic light. Furthermore Apple going after people who discover security problems in their products is just normal Apple tactic anyway.

Never forget that when NSO was first caught and the first time the general public learned about PEGASUS it was Apple who threatened Lookout to not release samples to the public. Nice AppStore app you have there. It would be a shame if something happened to it.

Yeah also never forget that System and Security info which was capable of finding PEGASUS on your iPhone was banned from the Apple App Store because Apple did not want their customers to be able to see if they were infected.

Steve Troughton-Smith:

Observation from Apple’s NSO complaint: Apple, curiously, completely omits any mention of App Store or lack of sideloading as a fundamental security measure of iOS. Almost as if they no longer believe they can rely on that point to remain in their favor.

Orin Kerr:

According to its CFAA claim filed today, Apple thinks that when your iPhone’s operating system is hacked, Apple is hacked-- and it can sue-- because Apple still owns the operating system on your iPhone.

Hmm, seems like a pretty big stretch to me.


Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users in two ways[…]

Nick Heer:

One of the minor privacy flaws of iMessage is that it will automatically tell you whether someone else has enabled it. All you have to do is type an email address or a phone number into the “To:” field in Messages; if it turns blue, it is an iMessage account and, therefore, associated with an Apple ID and an Apple device. In a vacuum, this is not very meaningful, but it appears that NSO Group was using a similar technique to figure out where to send its spyware.


I cannot find any reports of Apple notifying potential victims of state-sponsored attacks, so this appears to be a new policy. Twitter was doing this in 2015, and Google in 2012.


Update (2021-12-13): John Gruber:

Fascinating to consider that the U.S. State Department is only aware of this hack because Apple notified the affected employees. That’s certainly how this report reads.

5 Comments RSS · Twitter

>Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it.

What? Apple then over the PR repeated three times Apple has the most secure OS and Platform. They are telling everyone this threat isn't just about Apple, but only Apple is fighting for it.

John Gruber.... well what can I say.

@ Ed: I don't see the contradiction. Their press release does indeed frame it as "both iOS and Android are impacted", but also as "iOS is very secure" (skimming it, I can't find anything to the effect of implying that Android is bad). John is correct that Apple isn't taking this opportunity to bash Android.

The Apple Newsroom link does say this:

Apple makes the most secure mobile devices on the market, and constantly invests in strengthening privacy and security protections for its users. For example, researchers have found that other mobile platforms have 15 times more malware infections than iPhone, and a recent study showed that less than 2 percent of mobile malware targets iOS devices.

Which, though it doesn't explicitly call out "Android," does feel a little like bragging. I suppose it's open to interpretation.

In general, I find claims like "most secure devices" to not really be that helpful, or even very well defined. What does it mean to be "secure" anyway? Seems like the makers of Android could probably come up with statistics that make that system look "most secure," when in fact we all know that neither OS is without major security problems.

>There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it.

Especially when the lawsuit is an admission that Apple can't keep iOS secure and has to sue in an attempt to keep people from hacking it.

If only Apple had a security bug bounty program lucrative enough that researchers could reliably rely on, without retarded draconian measures in place to discourage the researchers from earning? Alas, Apple doesn’t have the means to accomplish that…

Leave a Comment