Askhat - stock.adobe.com
Apple v. NSO Group: How will it affect security researchers?
While the full extent of impact won't be revealed until the lawsuit concludes, negative impacts on security researchers are possible.
When it comes to the Apple v. NSO Group lawsuit, interpretations of the Computer Fraud and Abuse Act could set a precedent for the security research community.
Last month, Apple sued the Israel-based spyware vendor for what it claimed were deliberate attacks against its customers. Part of the lawsuit claimed an exploit allegedly developed by NSO, dubbed ForcedEntry, was used to spread spyware through Apple servers. In a recent blog post, researchers from Google's Project Zero called ForcedEntry "one of the most technically sophisticated exploits we've ever seen."
This is not the first lawsuit brought against NSO, whose Pegasus software has been implicated in illicit cybersurveillance use that includes malicious attacks against journalists, activists and government officials. In 2019, Facebook sued NSO for allegedly accessing WhatsApp servers to install Pegasus malware on users' devices.
While infosec experts agree additional pressure against the NSO Group is a positive, the legal implications could be complicated for security researchers.
One aspect that could have troubling consequences for security research, according to Riana Pfefferkorn, research scholar at the Stanford Internet Observatory, is Apple's assertion that it retains an interest in the iOS code running in users' iPhones and that it is willing to sue for violations of the terms of use that users agree to when creating an Apple ID. The same arguments, she said, could just as easily be leveraged against researchers trying to test iOS security on devices they own and for which they've created an Apple ID.
"The precedent set in litigation against 'black hat' hackers can then be leveraged against 'white hats,'" Pfefferkorn said in an email to SearchSecurity.
Cindy Cohn, executive director of the Electronic Frontier Foundation, agreed that the outcome of the lawsuit runs the risk of setting a negative precedent for security researchers, such as The Citizen Lab, which disclosed the ForcedEntry flaw to Apple in September.
On the other hand, Hank Schless, senior manager of security solutions at Lookout, said the risk of the lawsuit setting a precedent against good-faith security research is low. "People understand that Pegasus has been used for nefarious intent," Schless said in an email to SearchSecurity.
Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, said it's too early to assess the risks to independent security researchers, but that all eyes will be on the lawsuits from both Apple and Facebook. He named one potential risk to domestic security researchers: the international jurisdiction question would go away.
"A security researcher who is accused of 'breaking the terms and conditions' of a service within the same country as the software provider would have one less legal layer to protect themselves," Holland said in an email to SearchSecurity.
The legal implications for researchers will come down to how the Computer Fraud and Abuse Act (CFAA), which Cohn described as a "ridiculously bad law, even when it was written," is interpreted.
"I think it is absolutely possible, and important, that the CFAA be interpreted in a way that really aims at the folks who are supplying this technology to repressive governments knowing that it's going to be misused, and not to the very people who brought us this news about the Pegasus papers, Citizen Lab and other security researchers," Cohn said. "So it takes a little careful parsing to make sure that you get this right, but it's doable."
Trouble with the CFAA
The ongoing lawsuit involves the CFAA, a federal anti-hacking law that prohibits access to a computer without authorization. The outdated and often broad legislation was enacted in 1986 and not been updated since 2008, despite rapidly evolving digital transformations.
"From my perspective, outdated makes it sound like it was a good idea at one point in time. The CFAA was never a good idea," Cohn said.
Apple is accusing NSO of violating that law by "knowingly accessing the operating system on users' devices without authorization." More specifically, Apple alleges that NSO installed Pegasus without user authorization.
The CFAA, according to Cohn, is a rough tool for this lawsuit.
"What Apple is saying is that breaking into the user's computers, their phones, was done without the consent of the user. Security researchers are generally working on either their own tools or tools where they have the ability to get permission to break into the actual device," Cohn said.
However, the CFAA in relation to this lawsuit presents several questions for Cohn, including: Who gets to do that authorizing? It is a central piece, she said, not only because users are on other peoples' computers constantly, but the software is also owned by other companies. In this instance, will authorization be up to the user, or to Apple?
If it continues to be the user who can hack their own devices or give permission to someone else to do so, then Cohn said there will be a wide lane for security researchers, which is good.
"If Apple becomes the person who gets to decide what they do on your device, that would be a misreading of the complaint. This isn't what Apple has said, but this is where some of the confusion lies in this very big statute," Cohn said.
Asaf Lubin, associate professor of law at the Indiana University Maurer School of Law, also addressed that confusion during The Lawfare Podcast with senior editor Alan Rozenshtein and Orin Kerr, professor of law at the UC Berkeley School of Law. Lubin said the lawsuit may have a problem, because Apple is suing over what happened on devices they do not own, but the company claims ownership of the operating system on iOS devices.
The case's potential side effects on security researchers, according to Pfefferkorn, demonstrate that the CFAA, like the Digital Millennium Copyright Act (DMCA) statute at issue in another Apple lawsuit, both need to be amended by Congress in order to protect good-faith security research.
In 2019, Apple sued Corellium, a vendor that provides mobile penetration testing and security research. Apple alleged that Corellium "infringed Apple's copyrights in iOS and circumvented its security measures in violation of the federal Digital Millennium Copyright Act (DMCA)." Corellium denied the allegations, and Apple dropped the lawsuit this year.
There is some suspicion, Pfefferkorn said, that part of Apple's motivation behind the NSO lawsuit may be to relitigate its claims against Corellium, this time against a less sympathetic defendant.
"A defendant that exists to undermine user security rather than to improve it," she said. "Granted, the new complaint doesn't contain the DMCA claims seen in the Corellium lawsuit, but assertions remain similar."
While there are clear issues with the CFAA, Shawn Tuma, partner at law firm Spencer Fane LLP, which specializes in data privacy and cybersecurity risk management, said it has made progress over the past 10 years in regard to online services and software as "devices." He compared Apple v. NSO Group to a past case involving Sony Computer Entertainment America. Sony sued an individual, George Hotz, for hacking into his own PlayStation3 and accused him of "jailbreaking" the device.
"It relied on the CFAA and the DMCA, and Sony ultimately prevailed on a temporary injunction on the DMCA claim," Tuma said in an email to SearchSecurity. "Since that time the CFAA has come a long way and I think is much stronger today, in this case, than it was back in 2011, especially considering how integrated the Apple devices and iOS are with Apple's network's servers, which makes the case much stronger for an 'unauthorized access' to Apple's devices."
If this application of the CFAA is done correctly in Apple v. NSO, Cohn said it can be good.
"That's not something we say all the time," she said. "I hope other companies will follow suit."
Impact on the spyware industry
Though its impact on security researchers remains compounded, the lawsuit's influence on the spyware industry appears more straightforward, particularly in combination with the pending Facebook trial and the addition of the NSO group to the Commerce Department's sanctioned entities list.
Silicon Valley companies taking action against zero-day brokers was one trend security vendor Kaspersky Lab predicted last year. Costin Raiu, director of the global research and analysis team at Kaspersky, said the so-called "legal spyware" companies are out of control and noted a "lack of transparency, audit and generally unregulated sales for technologies against which there is no defense."
"The offensive security industry is out of control and the abuses we are seeing are probably just the tip of the iceberg," Raiu said in an email to SearchSecurity. "Going forward, we expect more companies and governments to put pressure on offensive technology sellers."
With this mounting pressure, Pfefferkorn said it shows that big tech companies will no longer limit their skirmishes with spyware makers to simply exploiting and patching vulnerabilities.
"The Apple lawsuit should make it harder for NSO to do business, scare off international investment and send a signal that enabling human rights abuses will not go unpunished," she said.
While there has been a good amount of talk in recent years about suing companies that facilitate hacking, or those that provide services to help the hackers, Tuma said that at the end of the day, litigation is very expensive. "Given that Apple has as big of a war chest as any private company and is the plaintiff in the case, the chances of seeing substantive merits on this issue get addressed in a court of law are much greater," Tuma said.
Though WhatsApp really paved the way for cases such as these, Cohn said, Apple joining is important because now it represents two giants of the tech industry.
"It's a start of the end of this business model and we're not going to be able to write this kind of software. It's not something I think we can prevent entirely, but we can make this business model illicit and that's what we need to do," Cohn said.