By John Gruber
Upgraded — Get a new MacBook every two years. From $36.06/month with AppleCare+ included.
Apple Newsroom:
Apple’s legal complaint provides new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto. [...]
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.
A couple of things are interesting about this. First, Apple repeatedly refers to the “FORCEDENTRY” exploit by name. This is not PR bullshit — they’re talking about a very specific exploit. Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it. The message here: “This isn’t just about us, NSO Group is after everyone.”
Lastly, the phrase “the immense resources and capabilities of nation-states”. This is Apple hammering home the fact that deliberate backdoors would be exploited. They’re up against countries with, effectively, infinite money and resources to find and exploit accidental vulnerabilities. If there were deliberate backdoors, the game would be over before it started.
Apple commends groups like the Citizen Lab and Amnesty Tech for their groundbreaking work to identify cybersurveillance abuses and help protect victims. To further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy.
The New York Times story on this mentioned that Apple would be donating any damages from the lawsuit, if they win. It’s a nice touch that they’re donating $10 million no matter what happens in court. Citizen Lab and Amnesty Tech did crackerjack work exposing this exploit.
Apple is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices.
Interesting!
★ Tuesday, 23 November 2021