Two Republican lawmakers are pressing Apple and the Federal Bureau of Investigation to provide information about spyware made by the Israeli company NSO Group, according to letters obtained by CNBC.
The letters, dated Thursday and signed by House Judiciary Committee Ranking Member Jim Jordan, R-Ohio, and subcommittee on civil rights Ranking Member Mike Johnson, R-La., come after The New York Times reported earlier this year that the FBI had acquired surveillance technology from the NSO Group.
“The Committee is examining the FBI’s acquisition, testing, and use of NSO’s spyware, and potential civil liberty implications of the use of Pegasus or Phantom against U.S. persons,” the letter to Apple says.
Last year, an investigation by a coalition of news outlets found NSO’s software was used to hack into the phones of journalists and activists. The NSO Group denied the findings of the report. But a few months after the investigation was published, the Biden administration blacklisted the firm, saying the company knowingly supplied its technology had to foreign governments who used it to “maliciously target” phones of dissidents, activists and journalists.
That technology, called Pegasus, is a spy tool that lets users hack into Apple iOS or Google Android phones and access messages on encrypted apps, all without requiring the victim to click on a malware link. Vice News had first reported that the NSO Group had pitched local U.S. police on a similarly-styled tool called Phantom. The Times wrote that the Israeli government had granted a special license allowing Phantom to target U.S. phones, a capability Pegasus does not have, with only U.S. government agencies allowed to buy the tool under the license. The company demonstrated the tool to the FBI, according to the Times.
In their letter to FBI Director Christopher Wray, Jordan and Johnson said they found the FBI’s acquisition of NSO spyware to be “deeply troubling and presents significant risks to the civil liberties of U.S. persons.”
The FBI bought and tested the Pegasus technology, according to the Times, and considered deploying Phantom in the U.S., before deciding against it. Still, the letter asks the FBI to hand over communications between the agency and the NSO Group or its subsidiaries about the agency’s purchase, testing or use of NSO spyware and the potential legality of using Phantom against domestic targets.
Questions about Apple’s ability to detect NSO spyware
In their letter to Apple, Jordan and Johnson asked CEO Tim Cook to provide details about Apple’s ability to detect when iPhones have been targeted by the NSO Group tools. The letter requests Apple provide the number of attacks it’s detected from the tools and when and where they occurred. It also asks Apple for a “staff level briefing” about the company’s communications with government agencies about the spyware.
Pegasus relies on zero days, or flaws in Apple’s code that it’s not aware of and hasn’t patched yet. Apple sued the NSO Group in November for targeting its technology with the spyware, seeking an injunction to prevent the NSO Group from using any Apple devices or software.
But Apple’s corporate preference for secrecy, especially compared to Microsoft and Google, has led security researchers to call for more transparency from the company. Apple said last year it patched a flaw used by Pegasus, though it’s unclear if the NSO technology has other ways to hack iPhones.
An FBI spokesperson told the Times in a statement for the January story that it looks at new technologies “not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate and test technical solutions and services for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands.”
–CNBC’s Kif Leswing contributed to this report.