COMPANIES & STRATEGIES - TECHNOLOGY

Luxembourg link

Apple sues NSO spyware firm over phone hacking



Apple has filed a lawsuit against Israeli spyware firm NSO, which has back office entities in Luxembourg Photo: Shutterstock

Apple has filed a lawsuit against Israeli spyware firm NSO, which has back office entities in Luxembourg Photo: Shutterstock

Apple is following Whatsapp and pressing legal charges against Israeli spyware firm NSO, which has ties to Luxembourg, for targeting users of the company’s devices.

The Pegasus revelations this year provided evidence of the widespread use of the NSO software by governments to spy on opposition groups, dissidents, activists and journalists. The leak included a list of 50,000 potential targets although it is not clear how many of them were actually hacked.

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of software engineering, in a press release.

Apple is also seeking a permanent injunction to ban NSO from using any Apple software, services or devices.

Luxembourg’s foreign ministry earlier this year confirmed that NSO operates nine entities in the grand duchy, saying they carry out back-office activities. None of the entities are authorised to export cyber-surveillance products.

NSO’s ties to Luxembourg were revealed after the spyware firm was linked to the murder of Saudi Arabian journalist Jamal Khashoggi.

Activists have called for the group to be banned from operating in the grand duchy and for human rights due diligence laws to be established. These would require companies to ensure human rights standards along their value and supply chains.

“In a free society, it is unacceptable to weaponise powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple security engineering and architecture.

Company blacklisted in US

Apple’s legal complaint provides new information on NSO’s so-called “Forcedentry”, which exploited software vulnerabilities to install the company’s Pegasus spyware.

“Attackers created Apple IDs to send malicious data to a victim’s device--allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge,” the company said.

Apple follows Whatsapp to take NSO to court. An appeals court in California earlier this month threw out a claim of immunity by NSO. The next phase of court proceedings will establish whether NSO can be held responsible for the attacks.

The company has denied any wrongdoing, saying its customers include vetted government clients who buy the software to combat crime and terrorism. It said it doesn’t know how clients use the programme.

The Biden administration on 3 November said it had put NSO on a commerce department blacklist for engaging in activities contrary to US foreign policy and national security.

NSO’s CEO-designate Isaac Benbenisti quit the company after it was blacklisted. Benbenisti was supposed to replace co-founder Shalev Hulio as chief executive officer for Hulio to move into new roles as vice-chair and global president. He will remain CEO for the time being.

Support for advocacy

Apple also said it would be contributing $10m to organisations pursuing cybersurveillance research and advocacy as well as paying any damages from the lawsuit. The tech company will also support the Citizen Lab--a research group at the University of Toronto which had first uncovered the exploit--with free technical, threat intelligence and engineering assistance.

“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors,” said Ron Deibert, director of the Citizen Lab. “I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimised by NSO Group’s reckless behaviour.”

Luxembourg prime minister Xavier Bettel (DP) in an interview last month appeared to confirm that the country’s secret service had also purchased the technology. However, he later said that he had more generally spoken about surveillance software and not Pegasus specifically.