Apple sues NSO Group for spying on its customers

Apple sues NSO Group for spying on its customers
Photo Credit: Reuters
24 Nov, 2021

Apple has filed a lawsuit against Israel-based NSO Group and its parent company OSY Technologies for supplying the Pegasus spyware that was used to target Apple customers.  Apple has also appealed for a permanent injunction to stop NSO Group from using any of its products including devices, apps and services, the Cupertino-based company said in a blog post.  

"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, senior vice president of software engineering at Apple.  

To help organisations working on cyber-surveillance research and advocacy, Apple said that it will provide $10 million, in addition to any damages they receive from the lawsuit. The iPhone maker also commended the work of Citizen Lab and Amnesty Tech and said it will provide the former technical support, threat intelligence, and engineering assistance.  

The lawsuit also provided details on FORCEDENTRY, the exploit that was used by NSO Group to break into Apple devices and install Pegasus. The vulnerability has since been patched.  

Apple also assured that its servers were not hacked or compromised during any of the attacks.  

Early this month, the US government had put NSO Group on an export ban list, restricting it from acquiring hardware and software from any US company without approval from the Commerce Department.  

Defending itself, the Israeli company claimed that its software is only meant to help governments monitor individuals that are suspected of terrorist activities and serious crimes.  

However, the leak of 50,000 phone numbers that were on the surveillance list of NSO Group's customers revealed that the spyware was being used to target human rights activists, journalists, researchers, lawyers, doctors, union leaders, diplomats, opposition leaders and heads of states. 

The leak was made to Forbidden Stories in 2020. Following which more than 80 journalists from 17 media outlets across 10 countries studied the leaked data with technical support from Amnesty International’s Security Lab under the Pegasus Project. They found that in addition to lawyers, activists, and political leaders, over 200 journalists were also under surveillance in several countries including in India. 

According to the findings of the Pegasus Project, NSO Group sells its spyware to 40 governments. Around 174 people in India are believed to have been targeted by spyware.  

Last month, the Supreme Court of India appointed a 3-member team of cybersecurity experts to investigate the use of spyware for surveillance on Indian citizens. 

In October 2019, Facebook parent company Meta Platforms had filed a lawsuit seeking injunction and damages against NSO Group for illegally accessing WhatsApp servers six months before installing the Pegasus malware on targeted users' mobile devices. 

The use of Pegasus for illegally spying on citizens first came to light in 2019 when the software was found to have been used to target users after exploiting a vulnerability in WhatsApp.

Meta and Citizen Lab's investigations later found that the spyware can be installed on a targeted user's device without the owner having to click on a call or a message. Once the spyware is planted on the device, it can covertly collect data, record video using the device's camera, listen to conversation through microphones, take screenshots and access user location.