Apple suing hacker firm NSO after being alerted to spyware vulnerability | CBC News

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice-president of software engineering.

The move by Apple comes after cybersecurity watchdog group Citizen Lab, at the University of Toronto, warned Apple of a vulnerability in its software that could allow a type of spyware called Pegasus to infect Apple devices without the user doing anything or knowing about it.

How Pegasus works

Security researchers have found Pegasus being used around the world to break into the phones of human rights activists, journalists and even members of the Catholic clergy.

Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously controls the smartphone’s microphones and cameras. Researchers have found several examples of NSO Group tools using so-called “zero click” exploits that infect targeted mobile phones without any user interaction.

NSO claims it created the spyware for legitimate law enforcement purposes, but cybersecurity experts have long suspected the company has no qualms about who or what it sells its services to.

“It is important for all of us to have awareness of what NSO Group has been up to,” said Chester Wisniewski, principal research scientist at security firm Sophos, in an interview with CBC News. 

“Those of us who look into spyware, which is ultimately what NSO Group produces, have suspected them of doing this for years.”

The hacker company did not immediately respond to a request for comment.

“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression while enriching themselves and their investors,” Citizen Lab’s director Ron Diebert said in a statement. “They claim they are selling a carefully controlled “lawful interception” tool, but in reality what they are providing is despotism-as-a-service.”

Wisniewski agrees that Citizen Lab deserves some credit, both for finding the proof of what NSO was up to and drawing attention to it by bringing the focus to such a high profile company such as Apple.

“If Citizen Lab hadn’t done the work they had done, Apple probably wouldn’t be as upset about it, and therefore they wouldn’t have done anything,” he said.

Exiled NSA contractor Edward Snowden also credited Citizen Lab with shining a light on the issue.

Growing list of lawsuits

It’s the latest blow to the hacking firm, which was recently blacklisted by the U.S. Commerce Department and is currently being sued by social media giant Facebook.

The Biden administration announced this month that NSO Group and another Israeli cybersecurity firm called Candiru were being added to the “entity list,” which limits their access to U.S. components and technology by requiring government permission for exports.

Apple also announced Tuesday that it was donating $10 million US, as well as any damages won in the NSO Group lawsuit, to cybersurveillance researchers and advocates.

While he welcomes Apple’s move, Wisniewski says it ultimately probably won’t solve the problem. 

“It’s unlikely to have any effect whatsoever on NSO Group continuing to do what they do,” he said. “It’s not going to stop them from producing spy tools and continuing to sell them to to governments.”