Apple sues NSO Group, creators of Pegasus spy software, warns activists of state-sponsored attacks [UPDATED]

[JoseGuya]

 

 

Summary

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.   

 

Quotes

Quote

NSO Group creates sophisticated, state-sponsored surveillance technology that allows its highly targeted spyware to surveil its victims. These attacks are only aimed at a very small number of users, and they impact people across multiple platforms, including iOS and Android. Researchers and journalists have publicly documented a history of this spyware being abused to target journalists, activists, dissidents, academics, and government officials.1
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”

 

 

My thoughts

 I think Apple is one of the only entities right now with the money and power to combat state sponsored attacks and mass surveillance. And I'm really happy considering my own country's government is about to purchase Pegasus and we don't have any laws regarding data protection. After the CSAM fiasco I really lost all hope on Apple and its privacy stand, but this could improve their image on that front again 

 

Sources

https://www.apple.com/newsroom/2021/11/apple-sues-nso-group-to-curb-the-abuse-of-state-sponsored-spyware/

 

 

 

EDIT

 

First clause of the demand, wow the wording is harsh

Quote

Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.

 

 

UPDATE

 

Apple issued a warning to activists and opposition politicians around the world if their phones has been  targeted.

 

Quote

Apple Inc issued alert messages on Wednesday to at least six activists and researchers who have been critical of Thailand's government, warning it believed their iPhones had been targeted by "state-sponsored attackers", according to activists and the alerts reviewed by Reuters

 

A political scientist in Thailand

 

Quote

Prajak Kongkirati, a political scientist at Bangkok's Thammasat University, said he had received two emails from Apple warning it believed his iPhone and iCloud accounts had been targeted, along with a "threat notification" on his Apple account.

 

The messages warned "if your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone."

 

Ghana and El Salvador

 

Quote

Two political activists in Ghana, an opposition politician in Uganda, as well as a dozen journalists from Salvadoran media reported later on Wednesday having received similar warning messages from Apple, according to social media posts reviewed by Reuters.

 

How the notification looks like

 

Spoiler

 

 

Sources:

 

https://www.reuters.com/technology/apple-warns-thai-activists-state-sponsored-attackers-may-have-targeted-iphones-2021-11-24/

https://support.apple.com/en-sa/HT212960

 

[adarw]

this is great news to privacy, especially of high target people like journalists and activists (yes you heard me right, i could add more info if this wasnt somewhat political). this spyware has been know to be sold to companies and governments. this stuff isnt a joke, they literary have all the power against you if your chosen to be infected. i hope this kind of power is never used. (which it is being used  ) . 

Edited November 24, 2021 by adarw

[adarw]

3 minutes ago, Caroline said:

Of course, they wanna be the only ones spying on users 

at least their not actively trying to sell the data to governments.

 

 

[Jtalk4456]

34 minutes ago, JoseGuya said:

targeting of Apple users

and they impact people across multiple platforms, including iOS and Android

don't know anything about the company or this situation, but just from these two statements, seems apple is contradicting itself with its use of the word targeting. If this is as bad a company as it sounds, I hope they have more planned than claiming they are "targeting"

[JoseGuya]

8 minutes ago, Jtalk4456 said:

don't know anything about the company or this situation, but just from these two statements, seems apple is contradicting itself with its use of the word targeting. If this is as bad a company as it sounds, I hope they have more planned than claiming they are "targeting"

From wikipedia:

 

Quote

Pegasus is spyware developed by the Israeli cyberarms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most[1] versions of iOS and Android.[2] The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6.[1] As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps. [3] The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent "flying through the air" to infect cell phones.[4]

So yes, Pegasus is a software that targets iOS and Android, so I don't understand the contradiction?

[Zando_]

29 minutes ago, Caroline said:

Of course, they wanna be the only ones spying on users 

'Tis how their business model works, yes. They make bank selling hardware + everything under the iCloud umbrella alongside the promise of greater user privacy, as due to the first two they don't need masses of user data to feed to advertisers to make their money. Even if they don't win this, it's great PR.

Apple is a company, like all companies they wish to make money, any choices they make are in their best interests.

[Blademaster91]

26 minutes ago, adarw said:

at least their not actively trying to sell the data to governments.

 

 

That we know of, however without getting political, apple does allow some governments to spy on their users.

[adarw]

1 minute ago, Blademaster91 said:

That we know of, however without getting political, apple does allow some governments to spy on their users.

that is true, but its to a degree, its not selling, they are most of the time forced to.

[Jtalk4456]

11 minutes ago, JoseGuya said:

From wikipedia:

 

So yes, Pegasus is a software that targets iOS and Android, so I don't understand the contradiction?

targeting meaning specific attack. The entire mobile phone market is not a single target, so it's not quite targeting by semantics imo. You could say they targeted the mobile phone market and that would be more accurate. I did some reading from another article and it seems the targeting is more in reference to the company creating over 100 apple id's for the purpose of one specific attack they are referring to. It seems more likely they're focusing on the company creating the fake accounts for the purposes of a cyber attack and using that to address broad concerns over the nature of the company from what I'm reading

[da na]

Good, pegasus was mega sus

[Blademaster91]

57 minutes ago, Caroline said:

Of course, they wanna be the only ones spying on users 

Apple being Apple chooses to sue a company instead of increasing their security.

[tim0901]

31 minutes ago, JoseGuya said:

So yes, Pegasus is a software that targets iOS and Android, so I don't understand the contradiction?

15 minutes ago, Jtalk4456 said:

targeting meaning specific attack. The entire mobile phone market is not a single target, so it's not quite targeting by semantics imo. You could say they targeted the mobile phone market and that would be more accurate. I did some reading from another article and it seems the targeting is more in reference to the company creating over 100 apple id's for the purpose of one specific attack they are referring to. It seems more likely they're focusing on the company creating the fake accounts for the purposes of a cyber attack and using that to address broad concerns over the nature of the company from what I'm reading

I believe the question is that if Pegasus's software is supposedly capable of targeting both iOS users and Android users - aka anybody - can it be said that the software can "target, attack, and harm Apple users, Apple products, and Apple" or is doing so contradicting the first statement.

 

I believe the answer to this is that no, they are not contradicting themselves. Because "targeting" does not necessarily require that one of the targeted groups to be deemed more important than another, or that if all of the groups are targeted equally that none of the groups can argue alone.

 

After all, Anakin Skywalker was said to have targeted not just the men, but the women and children too. Saying "Anakin Skywalker killed all the children" is not contradictory to saying "Anakin Skywalker killed everybody" - it just isn't the full story. Similarly, Apple saying "they targeted Apple customers" is not contradictory to saying "they targeted smartphone users" - it just doesn't describe the full extent of their actions.

 

Of course in reality, Apple doesn't actually care about them hacking Android users - they only care about their own customers - and so are not arguing against that behavior on Google's behalf. (Note that they are not actually arguing that the actions of Pegasus are morally wrong, instead they are complaining that "NSO's Actions Have Injured Apple And Its Users".) Personally I think that its dumb not to work with Google and present a joint case, as together they may have a better chance at success.

[Jtalk4456]

31 minutes ago, tim0901 said:

I believe the question is that if Pegasus's software is supposedly capable of targeting both iOS users and Android users - aka anybody - can it be said that the software can "target, attack, and harm Apple users, Apple products, and Apple" or is doing so contradicting the first statement.

 

I believe the answer to this is that no, they are not contradicting themselves. Because "targeting" does not necessarily require that one of the targeted groups to be deemed more important than another, or that if all of the groups are targeted equally that none of the groups can argue alone.

 

After all, Anakin Skywalker was said to have targeted not just the men, but the women and children too. Saying "Anakin Skywalker killed all the children" is not contradictory to saying "Anakin Skywalker killed everybody" - it just isn't the full story. Similarly, Apple saying "they targeted Apple customers" is not contradictory to saying "they targeted smartphone users" - it just doesn't describe the full extent of their actions.

 

Of course in reality, Apple doesn't actually care about them hacking Android users - they only care about their own customers - and so are not arguing against that behavior on Google's behalf. (Note that they are not actually arguing that the actions of Pegasus are morally wrong, instead they are complaining that "NSO's Actions Have Injured Apple And Its Users".) Personally I think that its dumb not to work with Google and present a joint case, as together they may have a better chance at success.

Yeah I can see where you're coming from with your semantics. I hold a slightly different take on targeting. I tend to think of it as more of a specific thing. Serial killer is targeting women over age 30 with no husband, scammers targeting elderly, etc. I view targeting as aiming and therefore focusing. Not to say you can't target more than one thing, but usually those are different incidents. Broad shotgun approach against a whole market I just use the word attacking, or targeting the market, treating the market as a large but single entity. Like I said just semantics, and the suit seems to be much deeper than the use of the word targeting, so irrelevant at this point, and we can just agree to disagree on the semantics

[Quackers101]

good that they go against spyware, hate that ****.

already bad when your equipment wants to install some spyware or in games has "analytics" or adds that later on.

[tim0901]

2 hours ago, Jtalk4456 said:

Yeah I can see where you're coming from with your semantics. I hold a slightly different take on targeting. I tend to think of it as more of a specific thing. Serial killer is targeting women over age 30 with no husband, scammers targeting elderly, etc. I view targeting as aiming and therefore focusing. Not to say you can't target more than one thing, but usually those are different incidents. Broad shotgun approach against a whole market I just use the word attacking, or targeting the market, treating the market as a large but single entity. Like I said just semantics, and the suit seems to be much deeper than the use of the word targeting, so irrelevant at this point, and we can just agree to disagree on the semantics

Yeah I can definitely see where you're coming from as well - would be down to interpretation which, as you mentioned, is irrelevant here.

[lewdicrous]

2 hours ago, Blademaster91 said:

Apple being Apple chooses to sue a company instead of increasing their security.

Feels like it's for people to go, "see? Apple does care about its users"

Taking care of public image.

[suicidalfranco]

5 hours ago, adarw said:

at least their not actively trying to sell the data to governments.

 

 

<China has left the chat>

<apple has left the chat>

[RejZoR]

5 hours ago, Zando Bob said:

'Tis how their business model works, yes. They make bank selling hardware + everything under the iCloud umbrella alongside the promise of greater user privacy, as due to the first two they don't need masses of user data to feed to advertisers to make their money. Even if they don't win this, it's great PR.

Apple is a company, like all companies they wish to make money, any choices they make are in their best interests.

I think you confused Apple with Google here...

[grg994]

4 hours ago, Blademaster91 said:

apple does allow some governments to spy on their users.

At least in democratic countries a court order is necessary to make a data request to Apple. The state (law enforcement) has to get a permission from a given body of jurisdiction to do that. Evidence for the violation of civilian / criminal law is needed.

 

Pegasus is different. It is rather used by national security and intelligence and it is mostly operated without a need of permission from a criminal court, and outside the civilian law. May only state law and military law apply on agencies using Pegasus.

 

6 hours ago, JoseGuya said:

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. [...] Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Yeah, so good luck with that Apple! In most cases national security / intelligence services and their affiliates are exempted from civilian / criminal law. I think civilian legal actions are hopeless to make a difference in the case of such spyware development that NSO Group does.

 

As long as national security / intelligence agencies of the bigger nations are willing to use and buy such tools as Pegasus they will protect spyware developers from legal actions. This just seems so obvious, I find it hard to believe that with this lawsuit Apple is seriously expecting anything more than a PR achievement.

[Sauron]

8 hours ago, JoseGuya said:

I think Apple is one of the only entities right now with the money and power to combat state sponsored attacks and mass surveillance.

Except... other states that were spied on?

7 hours ago, adarw said:

at least their not actively trying to sell the data to governments.

You're right, they do it for free https://www.businessinsider.com/apple-complies-percent-us-government-requests-customer-data-2020-1?r=US&IR=T

[LAwLz]

Apple could release the cure for cancer and people would still try and twist it into something bad. 

I am glad that Apple are going after the NSO group. That company are scumbags. This is a good thing regardless of what motivation you think Apple has. 

[mr moose]

Pardon my ignorance,  but I thought in most 1st world countries, obtaining personal data through breaching a private device was a criminal activity.  I mean if I made a virus that did this would I not be charged with unauthorized access, identify theft, computer trespass not to mention the myriad of privacy laws that exist and intent to cause harm?

 

Why hasn't this company been charged and jailed already? Why does a private company have to do the work of the justice system and police?

[Rauten]

49 minutes ago, mr moose said:

Why hasn't this company been charged and jailed already? Why does a private company have to do the work of the justice system and police?

My guess: The justice system and the police of <insert country here> are among their customers, or (as far as they know) unaffected.

[Fasterthannothing]

Ah yes a privacy lawsuit brought to you by the company that built their own in house spyware for all of it's devices and then host their data in Chinese servers. Labeled it as security for the kids and then tried to pretend that researchers didn't put cannon sized holes in its security until every news publication and security researcher was condemning them.  

 

https://www.eff.org/deeplinks/2021/08/if-you-build-it-they-will-come-apple-has-opened-backdoor-increased-surveillance

 

[lewdicrous]

1 hour ago, mr moose said:

Why hasn't this company been charged and jailed already?

This may have something to do with it.

Quote

NSO Group creates sophisticated, state-sponsored surveillance technology