If you made a list of corporations that you’d never want to battle in court, which one would be at the top of that list? Perhaps one with $200 billion in cash? Maybe one with a market cap of $2.8 trillion and the second-most valuable brand in the world?
Last month, a small Israeli company named NSO Group found itself in the crosshairs of Apple, Inc. What’s at stake is an interesting story that extends into the world of privacy, international espionage and export controls.
Who is NSO Group, anyway?
Founded in 2010, NSO Group is a privately held technology firm based in Israel. The company was formed by three ex-members of Israel’s “Unit 8200” (Niv, Shalev and Omri, hence “NSO”). What is Unit 8200? Basically, that’s Israel’s version of the NSA … responsible for intelligence gathering with a strong emphasis on computer coding and hacking skills. Those skills seem to have come in handy for NSO’s founders, since the company’s primary product is a spyware solution called Pegasus.
Pegasus exploits vulnerabilities in smartphones and is capable of “zero click” surveillance. This means, unlike other versions of malware/spyware, Pegasus can be deployed on a person’s phone without them taking any action or even without their knowledge or consent. This can be done in a variety of discreet ways. One example is an over-the-air (OTA) push message, where your phone covertly receives a notification to install the software without your knowledge. Once activated, Pegasus can do all sorts of interesting things, like:
- Activate your microphone/camera (without your knowledge) to record voice and video conversations
- Scrape all of your phone’s information and send it a “command and control” server
- Track your phone’s location
- Copy emails, texts, and other communication and forward it to whomever “Pegasus” desires.
In the lawsuit from Apple, NSO is quoted as saying that its software “enables [clients] … to remotely and covertly extract valuable intelligence from virtually any mobile device.” The story on NSO’s website, however, sounds slightly more … heroic. According to NSO, their product “helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.” Whichever way you spin it, there’s no doubt that NSO’s software capabilities are valuable. It could be used for good or bad. For example, NSO claims its software has been used to find kidnapped children, prevent suicide bombers and break-up drug trafficking rings. Others accuse it of selling the software for more nefarious purposes. Citizen Lab and Amnesty International claim that Pegasus has been used over the years to spy on a variety of human rights activists, government dissidents, journalists and political enemies. Was all of this happening just in Israel? Afraid not. NSO is accused of selling and using Pegasus in a wide range of countries, including Mexico, Saudi Arabia, Qatar, Spain, India, Turkey, Kenya, Yemen, Hungary, Nigeria … and now, the United States.
Ready to buy Pegasus to spy on your neighbor or kids? Better slow your roll. For starters, the company doesn’t even list the spyware on its website. (But you can read about their nifty drone detection solution.) Assuming you can talk to their sales folks, your next hurdle might be cost. According to Apple’s lawsuit, NSO “has asked for fees in excess of $100 million for a single license and charges tens of millions of dollars per customer for its products and services.” In 2018, an Israeli court convicted an ex-NSO employee of stealing a copy of the software and attempting to sell it for $50 million worth of cryptocurrency.
An apple a day …
If “an apple a day keeps the doctor away,” then creating more than 100 fake Apple IDs, violating iCloud’s terms of service, and abusing Apple’s software and services to deliver Pegasus to target iPhones is, well … potentially harmful to your health. According to its lawsuit, this is exactly what NSO Group did to Apple.
By utilizing an exploit in iOS software called “FORCEDENTRY,” Apple claims that NSO Group created fake Apple IDs to target individual phones, then used those accounts to send spyware through the iMessage service (crisscrossing Apple servers). Part of this activity disabled logging on a user’s phone (presumably to cover their tracks). Then, the lawsuit alleges, NSO used this opening to deliver the larger Pegasus file to the target phones. Meanwhile, this large file was also stored in an encrypted and unreadable format on Apple servers in the United States and abroad. Apple accuses NSO of providing “consulting and expert services” to its clients in order to help them maximize the effect of Pegasus.
This activity was first detected by Apple in September 2021. The company immediately engaged its Security Engineering and Architecture (SEAR) team to identify and patch the vulnerability. This resulted in the release of iOS 14.8. Subsequently, Apple released iOS 15 which also contains a security feature called BlastDoor. Apple does not believe NSO Group has found a way to circumvent BlastDoor on iOS 15, however, they acknowledge that the company has found ways around earlier versions of this feature. Altogether, Apple says NSO Group has caused it to spend “thousands of hours” addressing Pegasus security flaws and providing updates to thwart these activities.
So, the big question is … who are the targets of all this activity? NSO Group undoubtedly has some idea. Apple also apparently has clues. Earlier this month, the company notified at least nine U.S. State Department officials that their iPhones had been hacked by Pegasus. According to Reuters, these officials are either based in Uganda or working on matters related to that country.
Shouldn’t we control this stuff? Export controls and spyware
Different countries control things in different ways. For example, the Israeli Ministry of Defense is responsible for approving export licenses for NSO Group. Israel claims that it only approves exports to foreign governments for “counterterrorism and severe crimes.” If that’s true, then a deployment of Pegasus on U.S. State Department officials’ phones would be a “severe violation of these provisions.” Since this story broke, Israel has imposed new restrictions on exports of cyber warfare tools. These new restrictions essentially amount to a new end-user/end-use form that must be completed by each Israeli company looking to sell this kind of software. Some critics say this is not enough. For example, in the United States, the buyer of a controlled item must complete end-use/end-user forms … not the seller. According to news reports, the Israeli MoD also paid a visit to NSO Group offices.
So, how does the U.S. control spyware? The ITAR currently controls electronic systems, equipment, and software specially designed for intelligence purposes that collect, survey, monitor, or exploit, or analyze and produce information from, the electromagnetic spectrum (regardless of transmission medium), or for counteracting such activities in Category XI on the USML. Further, Category XIII controls military or intelligence cryptographic systems, equipment, assemblies, modules, integrated circuits, components, and software. Under these rules, generally speaking, an export license would be required for almost every country in the world. That license application would state the end user, end use, quantity and value of items to be exported, as well as any services or support related to the export.
For the EAR, BIS is set to release new rules that have been in the making since 2013. These rules are intended to restrict only malicious cyber activities, however, some in the industry worry that the rules will impact the entire cybersecurity industry. (This means legitimate companies who make antivirus software, for example.) Similar rules have been in place in Europe since 2017, but the United States has had a difficult time reaching consensus on the controls to be added to the EAR. This difficulty arises from the concerns expressed by cybersecurity firms. The new rule is expected mid-January. If adopted, it will add license exception ACE (Authorized Cybersecurity Exports), as well as the addition of new ECCNs: 4A005, 4D004, 4E001 a., 4E001 c., and 5A001 j. These will supplement the existing controls in Category 5 part 2.
In response to NSO’s activities, the U.S. government has taken the following steps:
- In November, the U.S. Commerce Department, Bureau of Industry and Security (BIS) placed NSO Group on the Entity List. This prohibits U.S. companies from engaging in business with NSO Group and constitutes a “presumption of denial” for any such requests.
- Earlier this month, some U.S. lawmakers have called on the Treasury Department (OFAC) and State Department (DDTC) to place further sanctions on NSO Group, its executives, and three other foreign surveillance companies. Whether this will result in further regulatory action remains to be seen.
In today’s world of information … or misinformation … a tool like Pegasus seems capable of wreaking havoc in all sorts of ways. How it should be controlled and regulated is a question that needs to be answered by the United States and other responsible governments around the globe.
In the meantime, it seems that NSO Group may have awakened a “sleeping giant” by exploiting iPhones for Pegasus. This particular giant earns $11,520 per second. You can buy a lot of legal firepower with that kind of coin. Perhaps an infinite amount.
Tom Reynolds is the Vice President of Operations for Export Solutions, a consultancy firm which specializes in helping companies with import/export compliance.