Apple has punched back against the "amoral" surveillance as a service industry of smartphone snoopers, filing suit against the NSO Group and its owner, Q Cyber Technologies, and taking steps to further secure digital lives.

Why this should matter to your business

Israeli firm NSO Group is a spyware firm that provides surveillance services to governments. It effectively privatizes state-sponsored snooping and enables even the most repressive government to outsource such tasks. It has been widely reported that software from NSO Group was used to target family members of murdered Saudi journalist Jamal Khashoggi.

These attacks are expensive and aimed at a very small number of people.

The problem is that some governments also use the technology to spy on journalists, political opponents - even businesses.

It's that last part that may be of most importance, particularly (but not exclusively) to larger enterprises working on highly confidential matters. No business user should approve of unconstrained use of technologies of this kind as they undermine trust and enable disgraceful attempts at business sabotage.

In what could be seen as an ironic representation of that truth, it is interesting that NSO Group has never published a complete list of its clients.

Apple's extensive litigation, described in more detail below, is an attempt to require NSO Group to reveal who it was working for and what data it obtained for those clients. If it succeeds, this will bring some instances of egregious surveillance into the light, where the consequences can be judged by all.

What is Apple saying?

Apple's complaint against NSO Group pulls no punches:

The litigation observes that the US government has sanctioned the company, and seeks redress at every available level, including breach of the terms of use we all agree to every time we use a product.

It also points out that NSO has admitted the attacks it sells for profit have led to violations of fundamental human rights.

What NSO Group had to say

In a very brief statement, NSO Group said:

Apple security chief weighs in

Ivan Krstić, head of Apple Security Engineering and Architecture, doesn't agree:

"At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we're taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place."

"Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group."

How Apple threat notifications work

Moving forward, Apple says it will notify users if its security teams spot activity consistent with a state-sponsored attack being made against them. (Update: Reports claim the first such threat warnings have been received across multiple nations).

While most people won't be impacted by such larcenies (in part because these attacks are expensive), they may be visible against certain individuals, such as journalists, politicians, industry leaders, strategically important business leaders, NGOs, and others. It really just depends if a government somewhere is willing to pay to surveil.

If Apple discovers activity consistent with a state-sponsored attack, it will send an affected user an email, an iMessage, and place a notification on the Apple ID page. It states:

The notification will also suggest additional steps that can be taken to help protect the targeted person. Apple concedes such attacks are highly sophisticated and evolve over time, which means threat intelligence signals may sometimes yield false positives and that some attacks may not be detected.

Basic security steps everyone should take

Human nature remains both the best and the worst line of defense. We live in a world in which everyone knows hacks happen, but "123456," "password," and "12345" continue to be the top three most commonly used passwords in the US.

While I imagine most business owners and employees understand the need to display more security intelligence than that, it's not reassuring that even today so many people don't. And while you can argue in the context of state-sponsored attacks that a person's password is unlikely to provide all the defense you need, it does provide some protection.

In addition, while you may be highly secure, your close relative may not be - and their vulnerability represents an attack surface hackers can and do use en route to undermining your security. Like coronavirus, in this connected world no one is safe until everyone is safe.

Apple has published the following best practice recommendations:

What claims for relief has Apple made?

Apple has made four claims for relief against NSO Group under the following counts:

What does Apple want?

Apple seeks numerous injunctions and financial penalties to punish NSO Group and also provide insight into who its clients are and whose data they obtained.

These include:

What about the security researchers?

Apple paid tribute to the independent security teams that have been investigating the work NSO Group does. The company is offering much more than lip service. It is contributing $10 million to support cybersurveillance researchers and advocates and says any compensation received as a result of the NSO litigation will be poured into the same pot.

In other words, Apple is prepared to flex its legal muscle to take on an international organization accused of human rights abuses against its customers, and is also very happy to invest in research it thinks may be able to help protect customers against such acts.

Apple will also support what it called the "accomplished" researchers at the Citizen Lab with pro-bono technical, threat intelligence, and engineering assistance. Where appropriate, it will offer the same assistance to other organizations doing critical work in this space.

What Apple says about NSO Group attacks

Apple also shared new information on NSO Group's FORCEDENTRY exploit used to break into a victim's Apple device to install the latest version of NSO Group's spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto.

To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim's device. These allowed NSO Group or its clients to deliver and install Pegasus spyware without a victim's knowledge. While Apple's servers were misused during the process, the company's servers were not hacked or compromised.

I'm pleased to see Apple take this action and I hope its litigation against NSO succeeds.

While NSO argues that it acts within the law and has vigorous protections in place, it seems appropriate that it should be forced to prove this to be true. After all, Amnesty International has identified at least 180 journalists around the world who have been attacked by Pegasus, which suggests the tech has in fact been abused.

As Apple CEO Tim Cook warned in 2018:

"We see vividly - painfully - how technology can harm rather than help. Platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies. Rogue actors and even governments have taken advantage of user trust to deepen divisions, incite violence, and even undermine our shared sense of what is true and what is false."

I continue to believe tools such as those provided by NSO or mandated security back doors into products will enable more criminal and terrorist activity than they prevent.

Please follow me on Twitter, or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.