Apple Sues NSO Group For Targeting IPhone Users With Powerful Exploits

NSO Group's year from hell continues. Apple is now suing the Israeli exploit hawker for hacking its customers' iPhones -- customers who include not only the supposed terrorists and dangerous criminals NSO claims its customers target with malware, but also journalists, activists, lawyers, ex-wives, religious leaders, US citizens, and government officials NSO claims its customers don't target.

Apple isn't the first major tech company to sue NSO over its malware. Facebook and WhatsApp sued NSO in 2019, alleging that the use of WhatsApp to deploy powerful exploits violated WhatsApp's terms of use. While this is almost certainly true (deploying malware via WhatsApp is definitely not allowed), WhatsApp appears to want a ruling that would expand the definition of "unauthorized access" under the CFAA (Computer Fraud and Abuse Act) that's already been stretched several times by DOJ prosecutors.

On one hand, it would be undeniably enjoyable see NSO get slapped with an order denying it access to WhatsApp and its users, on the other, it wouldn't be helpful at all to turn research (security and otherwise) that violates sites' terms of use into a federal crime.

Unfortunately, Apple's lawsuit [PDF] appears to be asking for something along the same lines. It also stretches the definition of legal standing, alleging it has the right to sue on the behalf of its users because reacting to the deployment of NSO malware has caused it to spend a bit of its billions closing security holes.

That being said, Apple's legal reps sure know how to open a lawsuit. Here's the first paragraph of the suit's introduction:

Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.

Welp. That's not going to help NSO's presumably permanently damaged SEO. The next paragraph builds on NSO's "amoral mercenary" reputation by pointing to the US Commerce Department's recent blacklisting of the company -- an act that almost never targets companies operating in countries the US considers to be close allies.

It follows these accusations with NSO's own admissions of malfeasance.

NSO admits that its destructive products have led to violations of “fundamental human rights,” which have been widely recognized and condemned by human rights groups and governments, including the U.S. Government. To ensure that their products can be used by others to maximum effect, NSO reportedly provides ongoing technical support and other services to their clients as they deploy NSO’s spyware against Apple’s products and users, including journalists, human rights activists, dissidents, public officials, and others. Most recently, the Guardian reported that six Palestinian human rights defenders—one of whom is also a U.S. citizen—were attacked and surveilled using NSO’s spyware. Although NSO claims that its spyware “cannot be used to conduct cybersurveillance within the United States,” U.S. citizens have been surveilled by NSO’s spyware on mobile devices that can and do cross international borders.