Apple on Tuesday filed a lawsuit against NSO Group and its parent business for spying on and targeting Apple users. The lawsuit adds to our understanding of how NSO Group’s Pegasus malware-infected victims’ devices. Apple is also seeking a permanent injunction prohibiting NSO Group from utilizing any Apple software, services, or devices in order to avoid additional abuse and injury to its users.
“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” Apple’s senior vice president of software engineering, Craig Federighi, said. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.”
Apple is seeking a permanent injunction to prevent NSO from producing, distributing, or deploying malware or spyware for any of Apple’s hardware, software, or devices, or from allowing others to do so. The action, which was filed in the United States District Court for the Northern District of California, also requests the court to order NSO Group to identify and destroy any and all data obtained without consent from Apple users’ devices and software.
Apple also wants NSO Group to reveal any third parties with whom it shared that information, as well as a comprehensive accounting of the revenues it made from those operations so that they can be given over to the court. Apple is seeking more than $75,000 in damages.
Apple claims that NSO Group’s actions violated the Computer Fraud and Abuse Act and Apple’s iCloud terms of service, which prohibits, among other things, the use of Apple goods for illicit purposes.
NSO Group, a company that sells surveillance software to government agencies, claims that their Pegasus software aids authorities in combating criminals and terrorists who use encryption to escape detection. A request for comment on Apple’s lawsuit was not immediately returned.
Apple also said on Tuesday that it would donate $10 million to organizations pursuing cyber surveillance research and advocacy, as well as any damages from the lawsuit.
Apple issued security patches for iPhones, iPads, Apple Watches, and Mac computers in September to address a vulnerability that was allegedly exploited by NSO’s intrusive Pegasus malware. A public interest cybersecurity group called Citizen Lab discovered that a Saudi activist’s phone had been infected with Pegasus, prompting the security update.
Apple announced on Tuesday that the so-called ForcedEntry attack, which exploited a now-patched vulnerability, allowed NSO Group or its clients to get access to a small number of Apple devices and install Pegasus spyware without the victims’ knowledge. Apple stated that it would tell everyone who may have been affected by the hack.
According to Reuters, Apple has begun sending security alerts to Apple users who may be remotely targeted by NSO Group’s Pegasus spyware. Apple is said to have already sent such alerts to at least six Thai activists and researchers who have been critical of their government.
The US Commerce Department took action against NSO Group earlier this month, putting the company on the government’s Entity List and preventing it from selling US technology.