Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
NSO Group is one of four companies recently added to a list maintained by the U.S. Department of Commerce, which prohibits any U.S. company from selling products or services to NSO Group without U.S. government approval. If it were also legally prohibited from using any of Apple’s products or services, it would surely put a damper on the company’s ability to operate, though it would only be a little bit surprising if NSO Group managed to acquire devices through another route.
A copy of Apple’s complaint is available on CourtListener. This is the second time this legal strategy has been used against NSO Group — Facebook sued it in 2019. The “new information” about how this spyware works mostly appears to be these paragraphs from the suit:
On information and belief, Defendants created more than one hundred Apple IDs using Apple’s systems to be used in their deployment of FORCEDENTRY.
On information and belief, after obtaining Apple IDs, Defendants executed the FORCEDENTRY exploit first by using their computers to contact Apple servers in the United States and abroad to identify other Apple devices. Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target.
One of the minor privacy flaws of iMessage is that it will automatically tell you whether someone else has enabled it. All you have to do is type an email address or a phone number into the “To:” field in Messages; if it turns blue, it is an iMessage account and, therefore, associated with an Apple ID and an Apple device. In a vacuum, this is not very meaningful, but it appears that NSO Group was using a similar technique to figure out where to send its spyware.
Perhaps not as headline-making is this announcement:
Apple is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices.
Update: As of November 24, Apple is now alerting possible targets. Ewa Wrzosek, a prosecutor in Poland, shared screenshots of what one of those warnings looks like. Wrzosek was notified by iMessage; others were sent emails.