Apple Sues NSO Group For Targeting IPhone Users With Powerful Exploits

Legal Issues

from the [applauds-super-cautiously] dept

NSO Group’s year from hell continues. Apple is now suing the Israeli exploit hawker for hacking its customers’ iPhones — customers who include not only the supposed terrorists and dangerous criminals NSO claims its customers target with malware, but also journalists, activists, lawyers, ex-wives, religious leaders, US citizens, and government officials NSO claims its customers don’t target.

Apple isn’t the first major tech company to sue NSO over its malware. Facebook and WhatsApp sued NSO in 2019, alleging that the use of WhatsApp to deploy powerful exploits violated WhatsApp’s terms of use. While this is almost certainly true (deploying malware via WhatsApp is definitely not allowed), WhatsApp appears to want a ruling that would expand the definition of “unauthorized access” under the CFAA (Computer Fraud and Abuse Act) that’s already been stretched several times by DOJ prosecutors.

On one hand, it would be undeniably enjoyable see NSO get slapped with an order denying it access to WhatsApp and its users, on the other, it wouldn’t be helpful at all to turn research (security and otherwise) that violates sites’ terms of use into a federal crime.

Unfortunately, Apple’s lawsuit [PDF] appears to be asking for something along the same lines. It also stretches the definition of legal standing, alleging it has the right to sue on the behalf of its users because reacting to the deployment of NSO malware has caused it to spend a bit of its billions closing security holes.

That being said, Apple’s legal reps sure know how to open a lawsuit. Here’s the first paragraph of the suit’s introduction:

Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.

Welp. That’s not going to help NSO’s presumably permanently damaged SEO. The next paragraph builds on NSO’s “amoral mercenary” reputation by pointing to the US Commerce Department’s recent blacklisting of the company — an act that almost never targets companies operating in countries the US considers to be close allies.

It follows these accusations with NSO’s own admissions of malfeasance.

NSO admits that its destructive products have led to violations of “fundamental human rights,” which have been widely recognized and condemned by human rights groups and governments, including the U.S. Government. To ensure that their products can be used by others to maximum effect, NSO reportedly provides ongoing technical support and other services to their clients as they deploy NSO’s spyware against Apple’s products and users, including journalists, human rights activists, dissidents, public officials, and others. Most recently, the Guardian reported that six Palestinian human rights defenders—one of whom is also a U.S. citizen—were attacked and surveilled using NSO’s spyware. Although NSO claims that its spyware “cannot be used to conduct cybersurveillance within the United States,” U.S. citizens have been surveilled by NSO’s spyware on mobile devices that can and do cross international borders.

Then it starts talking about the damage Apple itself has suffered as a result of NSO customers targeting iPhone users.

Defendants force Apple to engage in a continual arms race: Even as Apple develops solutions and enhances the security of its devices, Defendants are constantly updating their malware and exploits to overcome Apple’s own security upgrades.

These constant recovery and prevention efforts require significant resources and impose huge costs on Apple. Defendants’ unlawful malware activities have caused and continue to cause Apple significant damages in excess of $75,000 and in an amount to be proven at trial.

That’s the amount of damages needed to keep a lawsuit in federal court. But further into the lawsuit, Apple specifically cites the law amended by the CFAA and quotes a much lower price for actual monetary damages.

Defendants’ actions caused Apple to incur a loss as defined by 18 U.S.C. § 1030(e)(11), in an amount in excess of $5,000 during a one-year period, including the expenditure of resources to investigate and remediate Defendants’ conduct.

That puts the CFAA in play as Apple advocates on behalf of its users and its own defensive efforts. But standing is a tricky thing, as is attempting to hold NSO directly responsible for the activities of its customers.

Apple attempts to show standing by claiming end users are only borrowing the software it creates, so iPhone users targeted by NSO malware are, in effect, having their rented homes damaged by home invaders. Apple is the landlord, so to speak, so it believes it is due direct compensation for something that happened to its tenants. This is a dangerous argument to make, considering its the same one the DOJ deployed when it was trying to force Apple to break encryption on the San Bernardino shooter’s iPhone.

Defendants violated and attempted to violate 18 U.S.C. § 1030(a)(2) because they intentionally accessed and attempted to access the iOS operating system on Apple’s users’ devices without authorization and, on information and belief, obtained information from Apple’s users’ devices.

Defendants violated 18 U.S.C. § 1030(a)(4) because they knowingly and with the intent to defraud accessed the operating system on Apple’s users’ devices without authorization using information from Apple’s servers and then installed highly invasive spyware on those Apple users’ devices, and by means of such conduct furthered the intended fraud and obtained something of value.

[…]

Apple retains ownership of its operating-system software pursuant to its Software License Agreements.

We’ll see whose stretching works better. Apple wants to be able to represent users who’ve been targeted, citing its licensing and its own (apparently minimal) expenses related to patching security holes. NSO, on the other hand, will want out of this suit and has deployed some creative arguments of its own defending itself against WhatsApp’s litigation.

It remains to be seen whether its argument that it can’t be sued directly for the actions of its customers will convince the court WhatsApp’s lawsuit should be dismissed. But it has already seen another of its defenses shot down at the appellate level, which refused to extend sovereign immunity to the private company that sold exploits to government agencies. The Ninth Circuit refused to buy the argument that selling stuff to government agencies makes one an extension of that government agency for immunity purposes.

We’ll see what the court makes of this one. We already know at least one of NSO’s defenses is foreclosed by precedent. But we shouldn’t necessarily cheer Apple on just because the target of its suit is reprehensible. A ruling in favor of Apple’s CFAA allegations could prove disastrous for researchers and others who bypass terms of service restrictions for far less malignant reasons.

On the bright side, Apple is handing out a lot of money to researchers who’ve exposed plenty of malfeasance by NSO Group’s customers.

Apple commends groups like the Citizen Lab and Amnesty Tech for their groundbreaking work to identify cybersurveillance abuses and help protect victims. To further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy.

Apple will also support the accomplished researchers at the Citizen Lab with pro-bono technical, threat intelligence, and engineering assistance to aid their independent research mission, and where appropriate, will offer the same assistance to other organizations doing critical work in this space.

On top of this, Apple will continue notifying users it believes have been targeted by NSO malware, which is only going to result in more negative press for the malware purveyor. If NSO wanted to be perceived as a skilled warrior in the fight against international crime and terrorism, it blew that chance when it decided to sell to notorious human rights abusers and engage in zero oversight of the use of its products. It earned the reputation it now has and will carry with it forever, no matter how this lawsuit plays out.

Filed Under: cfaa, exploits, iphones, license, malware, ownership, research, spyware
Companies: apple, nso group