SecureMac, Inc.

Checklist 257: Suing to Stop Pegasus

December 3, 2021

Apple sues NSO Group over Pegasus spyware, avoiding cryptocurrency scams, and what chat apps can the government access?

Checklist 257: Suing to Stop Pegasus

On this week’s show:

Apple sues NSO Group

Apple has issued a press release announcing that it is suing NSO Group, makers of the notorious Pegasus spyware. The company says that it wants to recover monetary losses caused by NSO Group. Beyond that, it is hoping to stop the firm from continuing to make and sell spyware.

We’ve talked about Pegasus on The Checklist before. For full details, listen to Checklist 240: Updating Apple Gear and Sizing Up Pegasus, Checklist 241: Updating Apple Gear (Again) and (Still) Following Pegasus, and Checklist Short: Finding Pegasus Tracks. As a quick refresher, Apple’s press release does a good job of explaining Pegasus:

NSO Group creates sophisticated, state-sponsored surveillance technology that allows its highly targeted spyware to surveil its victims. These attacks are only aimed at a very small number of users, and they impact people across multiple platforms, including iOS and Android. Researchers and journalists have publicly documented a history of this spyware being abused to target journalists, activists, dissidents, academics, and government officials. 

At first glance, it may seem like Pegasus is only a threat to high-risk individuals like journalists and activists. But this is to ignore the role that such people play in society. If a repressive government can silence journalists, whistleblowers, and activists, that affects everyone. And unfortunately, NSO Group’s spyware makes it far easier for despotic regimes to do exactly that.

Apple’s legal standing and motivation

Apple’s press release singles out an exploit called FORCEDENTRY, which uses a (now-patched) iOS vulnerability to install Pegasus on a target’s iPhone. The exploit uses Apple IDs created by the attackers to send malicious data to the victims. In other words, it effectively weaponizes Apple’s software and servers against other users.

It’s this fact that gives Apple a legal case against NSO Group, as the company spells out pretty clearly in their public statement:

Apple’s lawsuit seeks to ban NSO Group from further harming individuals by using Apple’s products and services. The lawsuit also seeks redress for NSO Group’s flagrant violations of US federal and state law, arising out of its efforts to target and attack Apple and its users.

The idea of Apple seeking “redress” may raise a few eyebrows. Obviously the company, with its current market cap of $2.6 trillion, is not hurting for cash. But money isn’t the real point of this lawsuit. Apple has already pledged $10 million in support of Citizen Lab and Amnesty Tech, the two organizations that discovered and published news of NSO Group’s exploit. The company has also said that if it actually wins money in the NSO lawsuit, it will donate this to “organizations pursuing cybersurveillance research and advocacy.” In addition, Cupertino says it will offer “technical, threat intelligence, and engineering assistance” to such organizations on a pro bono basis.

Apple takes great pride in the iPhone’s security — and spends a lot of time and energy on security updates. Of course, those updates only work when you actually update your device! For this reason, Apple recommends that all users move to iOS 15 as soon as possible, since the new OS includes a number of new security features. The company notes that thus far, no one has found “evidence of successful remote attacks against devices running iOS 15 and later versions”.

Avoiding crypto scams

Cryptocurrency scams seem to be gaining traction, taking advantage of investors who want to cash in on the ongoing crypto boom. 

If you don’t know what cryptocurrency is, or how it works, you’re not alone! If you want an introduction, have a listen to Checklist 59: Bitcoin and the Blockchain: Understanding Cryptocurrency and Its Technology. For a more in-depth read, look to The SecureMac Guide to Understanding Cryptocurrency and Cryptojacking

We should probably say one thing very clearly at the outset: If you don’t understand something, it’s probably not a great idea to invest in it. There’s nothing inherently wrong with investing in cryptocurrency, of course. It’s just a good general rule to follow: After all, you wouldn’t buy a horse farm without knowing anything about horses, or open a restaurant with zero experience in the food and beverage industry.

For people who do want to put money into cryptocurrency, a recent piece in CNET had some good tips on how to avoid the most common scams. Here are some best practices:

Avoid “too good to be true” offers

There are crypto scams where the bad guys pretend to represent wealthy, famous people like Elon Musk or Jeff Bezos. They say that these billionaires just want to give away some Bitcoin to a few lucky individuals. For the next hour, if you donate X amount of Bitcoin to a certain wallet address, you’ll receive double the amount back from Elon or Jeff!

Sorry, but no, the richest people in the world aren’t giving away “free money” to random people on the Internet. General rule: If it sounds too good to be true, it is! 

Do your research

Scammers sometimes use YouTube to solicit Bitcoin donations from viewers. To do this, they steal content, pretend to be part of some legitimate charity drive, or use other underhanded tactics. The scam is that they ask for Bitcoin donations through malicious websites. These websites have nothing to do with the charity that’s supposed to receive the donation, or even with the video in question. 

Always make sure to check out websites to ensure that they are who they say they are. If you spot red flags like the ones mentioned above, you may be on a malicious site.

Beware of big promises

Due to the volatility involved, there is no such thing as a “guaranteed return” in the stock market. That’s even more true of cryptocurrency. But scammers will make all sorts of promises to their victims. They’ll even set up fake websites that make it look as though your investment is growing. However, if you try to withdraw your “gains”, you’ll soon find out that it was all just smoke and mirrors.   

If someone says they can “double your money” (or something similar) on a crypto investment, treat this with extreme skepticism. After all, would you trust a stock broker who guaranteed market-beating returns? No? Then don’t believe some rando you met on a dating app or a social media site!

Practice good security

Some crypto-criminals forgo all the elaborate schemes and rely on good old-fashioned hacking. If you’re going to get involved in crypto, you need to make sure your devices and accounts are secure. That means following some basic best practices. Use strong passwords. Turn on two-factor authentication. Create a separate email account for anything crypto related. For best results, use hardware wallets to secure your cryptocurrency. You might also consider using multiple wallets to keep your cryptocurrency investment separate from crypto that you intend to spend.

Chat privacy and the FBI

Apple Insider ran a report about an internal FBI document that lists chat apps for which the Bureau can “legally access secure messaging app content and metadata”. The document was obtained via a Freedom of Information Act request.

Perhaps surprisingly, iMessage is probably not the best choice for private communication. iMessage itself is secure, of course, and offers end-to-end encryption. However, if the FBI has a warrant, they can force Apple to give them access to your iMessage backups stored in iCloud. And unfortunately, most users have iMessage set to back up to iCloud! (To learn how to keep your iMessage backups secure, read How to make encrypted iMessage backups for your iPhone). The FBI can also obtain “limited” access to WhatsApp and LINE messages.

By contrast, they can’t see much at all if you’re using the Signal app. The FBI can only obtain the time and date that a user registered for the service, and the date they last used it. The Insider piece also says that “the FBI can’t access message content from Telegram, WeChat, or Wickr”. (Though we’d point out that WeChat is developed by China’s Tencent, which may raise other privacy concerns).

Do you have a topic that you’d like to see covered on The Checklist? Write to us and let us know. We love getting show suggestions, feedback, and questions from our listeners!

Get the latest security news and deals