Apple sues Israeli spyware maker NSO over its Pegasus spyware
Apple announced Tuesday that it has sued Israel-based NSO Group over the use of its Pegasus spyware to attack Apple devices, the latest move in an escalating global campaign against surveillance abuses against smartphone users.
The suit, which seeks an injunction against NSO to stop it from using any Apple software, service or device, comes after the July publication of The Pegasus Project by The Washington Post and 16 other news organizations that detailed the use of Pegasus in dozens of attacks against journalists, human rights workers and political activists in countries across the world.
The NSO Group has repeatedly denied the conclusions of The Pegasus Project but also has been buffeted by a series of government and other actions based on the consortium’s findings, including a U.S. government decision earlier this month to blacklist the company.
NSO’s “notorious hackers” are “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse,” the lawsuit states.
The lawsuit was filed in the Northern District of California. NSO did not respond Tuesday to a request for comment.
Apple’s legal move follows a similar lawsuit by the Facebook-owned messaging service WhatsApp in 2019 that accused NSO of targeting 1,400 of its users with spyware. A U.S. appeals court ruled this month that the suit can proceed.
In announcing its lawsuit, Apple singled out a particular attack on iPhones called FORCEDENTRY that had been discovered by researchers for Citizen Lab, who have long worked to detail abuses of Pegasus, which NSO Group said is licensed to dozens of military, intelligence and law enforcement agencies around the world. Apple released a patch for the vulnerability shortly after.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering, in a blog post announcing the lawsuit.
“Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous,” he wrote. “While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
Among the findings of The Pegasus Project was that iPhones, despite their reputation for strong security compared to some other smartphones, had weaknesses that the NSO Group had learned to exploit to deliver spyware to the phones of targets.
In some cases NSO customers delivered Pegasus in such a stealthy way that users got no alert and needed to take no action in order for an infection to begin on their devices. Once inside, the malware turned smartphones into sophisticated spying devices, revealing their locations, communications, pictures and other information.
The lawsuit accuses NSO of enabling customers to target U.S. citizens, despite the company’s pledge that its spyware “cannot be used to conduct cybersurveillance within the United States.”
Apple also said it was donating $10 million to support cybersecurity researchers and advocates against spyware.
NSO has suffered a series of devastating blows in the months since the Pegasus Project investigation. This month, after the Commerce Department added the company to its red-flagged “entity list,” NSO’s new chief executive announced his resignation after only two weeks in the role.
The company also faces significant financial peril. The credit rating agency Moody’s downgraded the company on Monday, saying it faced an “increased risk” of default on hundreds of millions of dollars in debt.
In recent months, an internal investigation discovered traces of Pegasus spyware in the phones of five French cabinet ministers. And in the U.K., a High Court judgment last month confirmed that the phones of Princess Haya, the ex-wife of Dubai’s ruler, as well as those of her legal and security advisers had been targeted with a Pegasus hack.
The White House raised concerns about NSO’s spyware to the Israeli government in July. Beyond the Commerce Department’s blacklist, members of Congress have also pushed for more severe financial sanctions and other measures to combat the spyware’s abuse.