Apple has filed a lawsuit against NSO Group relating to their installation of Pegasus spyware on Apple users’ devices. Apple wishes to hold NSO Group accountable for their surveillance of users.
Apple has taken the significant step to begin notifying individuals about the threat of state-sponsored attacks on their accounts and devices. Apple is suing NSO Group and its parent company to attempt to hold them accountable for surveillance of Apple users. Their lawsuit, filed November 23, 2021, seeks an injunction to ban NSO Group permanently from using any Apple software, services, or devices. It comes after NSO Group has been shown to have infected Apple users’ devices with Pegasus spyware.
Apple’s Actions to Notify Impacted Users
Apple threat notifications are intended to provide warnings to individuals who may have been targeted by state-sponsored attacks. They use two different methods to notify the user through their account. When logging into appleid.apple.com, there will be a Threat Notification displayed at the top of the page. Additionally, the user will receive an email and an iMessage notification to the email addresses and phone numbers associated with their Apple ID account. The notifications offer advice on the steps that they can take to improve their security and protect their devices and personal information.
In a press release, Apple’s senior vice president of Software Engineering, Craig Federighi, said, “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change.”
NSO Group Allegations
The legal complaint from Apple reveals new information about the activities of NSO Group. It highlights FORCEDENTRY, which exploited a former vulnerability to gain access to Apple devices and install the NSO Group’s spyware Pegasus. The lawsuit from Apple intends to both ban NSO Group from having access to Apple products and services and to seek action on the violation of federal and state law by the NSO Group.
WhatsApp Similar Litigation
In 2019, WhatsApp also brought a court case aiming to hold NSO Group accountable for distributing their spyware through the app. A group of other tech companies, including Google and Microsoft, lent their official support to WhatsApp to encourage the United States Court of Appeals for the Ninth Circuit to hold NSO Group accountable.
Apple responds by funding Cyber Threat Research
Apple has also announced a $10 million contribution in support of cyber-surveillance researchers and advocates. Any damages from the lawsuit have also been pledged to organizations in these areas. Apple is also supporting Citizen Lab, a research group at the University of Toronto that originally discovered the exploit that NSO Group used, by providing technical, threat intelligence, and engineering assistance at no charge. They will also provide assistance to other organizations doing work in the same field, where appropriate.
Ron Deibert, director of the Citizen Lab at the University of Toronto said, “Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors. I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group’s reckless behavior.”In response to the complaint, NSO Group replied, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers”. They said, “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments with the lawful tools to fight [them]. NSO group will continue to advocate for the truth.”
Are Contact Tracing APPs ethical? Are you willing to give up your private data to help slow the spread of the Coronavirus? Check out what these experts have to say!
Apple and Google have the capability that allows cell phones to communicate with each other. Contact Tracing Apps use this capability and have been developed to find and alert the contacts of people infected with the Coronavirus / COVID-19. As soon as someone gets sick with Coronavirus, the APP could alert you if this is someone you have been in contact with. Alleviating the length of time it takes for a real live Contact Tracer who is doing the tracing. Basically, this is widespread human GPS tracking, that presents many privacy issues involving potential data breach, information storage, and sharing sensitive personal data. Should sensitive medical information and individual locations be available on an APP? Do you believe this type of electronic contact tracing is ethical?
Check out this video to listen in on experts as they consider the amount of data that is being collected and what it means for your data when you download a Contact Tracing APP.
Video Transcripts Follow
Lee Neubecker (LN): Hi this is Lee Neubecker from Enigma Forensics and I have Debbie Reynolds back on the show, thanks for coming back Debbie.
Debbie Reynolds (DR): Thank you for having me, very nice to be here.
LN: So I’m very interested to hear more of what your research is regarding contact tracing apps, and what you think that means for individuals that might put these apps in their phone. Tell me a little bit about what’s happening right now with the industry and how contact tracing apps are working.
DR: Yeah, so Apple and Google created a capability so that phones can communicate with each-other via beacon. So that they can store information on phones, or have phones bounce off of one another, so that if someone downloads a contact tracing app or registers there, if anyone who also has the app, it will be able to trace back, y’know, how long they spent with certain people and tell them whether they feel like they may have been exposed in some way, and tell them either to quarantine or go seek treatment in some way, or get tested. So it’s pretty controversial, the contact tracing app, for a couple of different reasons. One is, people are very concerned about privacy, like giving their potential medical information to a company that’s not a medical provider, meaning that they’re not protecting the data the same way. Also, as you know, Bluetooth technology isn’t exactly super accurate in terms of the distance that you are from someone, so the delta, in terms of how accurate it can be, may be way off. It may be several meters off, the phone can’t tell if you’re six feet apart or whatever, so I think that they’ve tried to tune that up with this new API that they created, but still, based on the science, we don’t know that it’s actually accurate or not.
LN: So you could still have a situation where, if you put one of these apps on and you’re outside biking, and you bike within 8 to 10 feet of someone who later does have it that you’re getting notified that you have to quarantine on a false basis. That’s a potential outcome of using an app like that, correct?
DR: Yeah, but I think that the way they having it now is that it’s supposed to register you spent more than 15 minutes near that person, so, y’know.
LN: Okay, that’s good to know.
DR: But let’s say you’re parked in your car and someone’s parked next to your car, so you aren’t physically near, y’know, you aren’t in any danger from that person but you wouldn’t know, just because your phone says you’re close to them. They don’t understand the circumstance that you’re in, to be able to tell that, so. I think people are concerned about, a lot about privacy, them taking the data or how the app is actually going to work, and it’s going to work differently in different countries. So what they’ve done is create this API, this capability that’s put on everyone’s phone, and then if you download the app, the app which you use will use that API to actually do this beacon exchange on people’s phones. So, that’s kind of what’s happening right now, is different countries and different places are implementing it in different ways, and some are really pushing back on them because they don’t have really any good guarantees about privacy, or data breach, data breach is a huge issue.
LN: Yeah, I mean, our Government’s never had data in their custody compromised ever, right? wink..wink
DR: Right, that never happened, exactly, so-
LN: You’re having your maps of where you’re walking, your GPS records-
DR: Yeah.
LN:time of day, your movement and that is going to Google and Apple, and under certain conditions they’re passing that data on to the CDC or other entities, law enforcement, enforcement groups.
DR: Well their concern is that data, because it’s at a private company, will get merged with other things, like let’s say your insurance carrier, or your medical, y’know, you get dropped from your insurance because you have this app-
LN: You drive too fast.
DR: No because you have this app, and they think that you may have been exposed, or you’re a higher risk, or a bank doesn’t want to give you a loan or something, because you have this app on your phone. I’ve been hearing a lot of different scenarios people are concerned about. But I’m curious, from your perspective, in terms of how certain things are stored on phones. I know beacons is a really big idea, but maybe you can explain a little bit about how Bluetooth actually works?
LN: Yeah, well Bluetooth is a near band wavelength that allows for peer-to-peer networking. Bluetooth has been exploited in the past to be able to take over devices, so it’s, a lot of people don’t like to have their Bluetooth on continuously because you’re opening your phone up to potential attacks, cyber attacks, via Bluetooth. You’re also broadcasting, when you have Bluetooth on you’re also broadcasting your MAC address identifier, your Bluetooth unique address and there have already been issues where retailers in London at one time, they had kiosks outside that would track the shoppers and they’d know how long they were at certain stores, and they’d use that information to serve custom video ads to people as they’re shopping and walking by.
DR: Right.
LN: So there’s privacy implications and security implications of having Bluetooth on all the time.
DR: Yeah, and that’s a big concern. So I know when I first heard this, about them doing this contact tracing, I was wondering like how exactly would they get the proximity right, and because we have no visibility to that we really don’t know, right?
LN: No.
DR: So we just have to sort of trust the black box and see what happens, to some extent, but I, for me I think my opinion is that contact tracing is a profession, it’s not an app. So, there are people who do this as a profession, only, let’s see, 55% of people in the world don’t even have smart phones, so you’re talking about a capability that’s only for 45% of the people, and not all those people are going to actually volunteer to get these apps.
LN: Yeah.
DR: So it doesn’t really help to contact, for people who do contact tracing, except it adds another layer that they have to work with because they still have to track people whether they have cell phones or not.
LN: It’s interesting stuff, thanks for bringing that to our viewers’ attention and thanks for being on the show again.
DR: All right, thank you so much, I really appreciate it.
The recent Pensacola Naval Air Station shooting left the FBI with the assailant’s locked iPhone. Apple has refused efforts to assist with bypassing the security features. Should legislation require Apple provide a back door to law enforcement? Hear more about the cell phone privacy debate between two noted cyber and privacy experts.
On Friday, December 6, an aviation student from Saudi Arabia opened fire in a classroom at the Pensacola Naval Air Station (NAS) killing three people in the attack and injuring eight others. Another Saudi student recorded the shooting events as it unfolded. The shooter was identified as Mohammed Saeed Alshamrani, an aviation student from Saudi Arabia. The assailant’s name doesn’t really matter because the question in these national security threats remains the same.
How does law enforcement obtain personal information off smart devices in a timely fashion?
What role does cell phone privacy play when it comes to terror attacks such as the most recent Naval Air Station attack?
Leading computer forensic expert Lee Neubecker, CEO & President of Enigma Forensics discusses with the Data Diva, Debbie Reynolds of Debbie Reynolds Consulting about the many technical tools in their arsenal that’ll offer solutions in these cases.
Cell Phone Privacy: Naval Air Station Attack – Final Video of 4-part series
The transcript for Cell Phone Privacy – Naval Air Station Attack follows:
Lee Neubecker: Hi, I’m back again with Debbie Reynolds, the data diva. Thanks for being on the show again.
Debbie Reynolds: Thank you, Lee.
LN: So, we’re finishing up our multi-part series relating to cell phone forensics, as it relates to the FBI’s desire to get Apple and other information from the cell phone makers so that they can unlock their phones.
DR: Right, so there was a recent shooting, unfortunately, in Pensacola, at the Naval Air Station and because there were people who were recording the attack, they’re interested in being able to get information from those cell phones and this is renewed calls, as was the case with the San Bernardino attack in California in 2015, to have Apple help law enforcement unlock particular cell phones of folks.
LN: Yeah, as Debbie was saying, with the Pensacola Naval Air Station, what had been reported in the associated press was that a Saudi national student who was getting training out of the navy facility, which, our government trains foreign nationals and other militaries and has been doing that for a long time but some of the Saudi students had been watching, earlier that evening, they had been watching videos of mass shootings before the shooting took place. And during the shooting that she said, one of the students had been recording the events as they unfolded and likely has data on cell phones and other information.
DR: Right, I think the issue is, you know, is law enforcement able to get this information without accessing the cell phone and the chances are, possibly yes. But there are many different ways to get it.
LN: Yeah but this week they asked Apple for help to get in and they said they haven’t been able to get in the phone but like what happened with San Bernardino, it’s not entirely clear if they had fully used their capabilities, like their mobile access unit, had that unit exhausted their capabilities, had they reached out to third party vendors and computer forensic consultants and firms, like myself or others.
DR: That does this every day, yes.
LN: Or even the Israeli firm, called Cellebrite, which makes the equipment used by many forensic people, like myself, that was ultimately successful in unlocking the San Bernardino terrorist’s phone.
DR: Well, the one thing I will say is, in 2015, the phones have gotten a bit more advanced, the encryption is better but if, for example, people are taping things on cell phones, typically, they’re sharing it with other people so you may be able to get the information from another person’s phone, if the phone is backed up, you may be able to get the data from a backup, you may be able to get phone records about who they were calling or who they were texting, even though you may not get the actual footage, there are a lot of different ways to triangulate this information.
LN: And if they plugged their cell phone into their computer, a lot of times, it will automatically create a backup file but, in this case, I think the, you know, the FBI has a legitimate interest in wanting to know who were they texting right beforehand, were other people involved so I support that but I think that there are different means of how to accomplish their goal.
DR: Absolutely, absolutely. So, I think, the way that the story was told in the media, it makes it seem as though the only way the information can be gotten to is to have Apple or other cell phone makers create a vulnerability that anyone can use on any phone and I don’t think that that’s exactly true.
LN: No.
DR: Because we’ve not seen that in the field and many of us work with cell phones every day.
LN: Well, there was, recently disclosed, a vulnerability in every iPhone up to, not including, the very latest model but every iPhone relating to the Bootrom, where the phone can be, you know, basically, bootlegged and taken over until it’s rebooted, then it resets so I’m sure that there’s already bypass means on 95% of the iPhones out there, since most people aren’t running the latest model but again, the concern here is that it almost seems like there’s an effort to try to change the policy, you know, Director Comey, from the FBI, Former Director Comey had repeatedly stated that we need to be able to defeat encryption but by its nature, it’s like saying everyone should have weak locks on all their doors and companies shouldn’t lock their stuff up so that’s going to lead to problems in, you know, as I said, in the prior segment, a multi-key solution that has unlocked but specific to an individual user’s cell phone, with approval by the court, I think that is a much better solution than having a master key that can open up any phone.
DR: I think so and, I mean, we’ve seen in other cases, even though it’s not about terrorism, obviously, with the Jussie Smollett issue in Chicago, they were able to get a ton of information so they went to Uber, they had surveillance cameras, they had phones, I mean, the–
LN: They get GPS records on phones.
DR: Oh, all kinds of stuff.
LN: You can get cell phone tower records and then you have all these third-party apps like, you know, the secure Signal and WhatsApp, well, is it very secure if you get one of the two phones?
DR: Right.
LN: Not exactly because you can see all the messages.
DR: Oh, absolutely and I think Paul Manafort, unfortunately, found this out the hard way when he was using WhatsApp to chat with people about illegal dealings and the forensic folks were able to get the exact chat and all the texts because he had backed it up to his iPhone or his iCloud, I believe, so.
LN: It’s interesting now, you discover, these days, when things get involved with what was intent on a business deal gone wrong or was there fraud or misrepresentation, you know, getting, finding out what the text messages are and who was texting with which party and what did they say, that can be very important and litigation, still, it seems that text messages are just starting to come upon the attorney’s radar, for asking for that information.
DR: Well, it’s coming up on their radar ’cause people use many different means so someone may start with an email and then go to maybe Snapchat or go to texts, so.
LN: Or Slack.
DR: Or Slack so there are many different, yeah, right.
LN: You’ve got these other platforms that are just, that should be part of the discovery, that are getting ignored, unless you have an attorney or advisors, like us.
DR: Yes.
LN: Helping to make sure that you get that information.
DR: Exactly, exactly, it’s not easy because it’s not as linear as you think it would be but if you know that you have this information, that it’s out there, it’s possible to find ways to get it. Obviously, the cell phone would probably be the easiest way to at least be able to help you point to where things are but there are different ways to be able to get the information, not necessarily, so you do need the cell phone for the actual texts, the text message but.
LN: But sometimes people have that hooked up to their computer too.
DR: Yes, that’s true, right, that’s true.
LN: So their computer might have, you know, people who have an Apple laptop and running that, you might be able to get the messages off the laptop, which is yet another means of getting the data and then, you know, there are entities that do log the messages in between so you have the servers that they cascade through so there’s a lot of places that the information can be found and, you know, before a mass policy change is made to just by giving an open key, you know, people need to think this through because, you know, we had keys, master keys that open in the past, those keys have gotten leaked and it’s created a lot of problems.
DR: No, absolutely, I think that’s the villain in almost any little movie you could think of, someone who has a master bit of information that can rule the world so this is definitely something that needs to be thought through and we already know that there are, you know, other things that can be done that don’t require, currently, a master key.
LN: Yeah, well, one of the ways that all of you can show your appreciation if you like our videos, is click like, share the videos out and sign up for our blogs and check ’em out, thanks a bunch for being on the show again.
DR: Thank you, Lee, this was fantastic.
LN: Have a good day, everyone.
DR: Goodbye.
More about Cell Phone Privacy
Enigma Forensics can help gain access to locked personal devices. Choose an expert!
More on Naval Air Station: Cell Phone Privacy.
FBI says…Deceased Assailant’s Locked Phones a Hurdle for Investigators.