Updated Facebook and its WhatsApp subsidiary on Tuesday sued NSO Group alleging the Israel-based spyware maker unlawfully hacked smartphones using a vulnerability in the popular chat app.
NSO Group makes a form of snoop-ware called Pegasus. The biz maintains that it sells the software – which silently infects and monitors targets’ phones and devices – only to governments and intelligence agencies to fight terrorism. But human-rights groups have accused the firm of making its surveillance code available for use against lawyers, dissidents, activists, journalists, and other rights advocates.
It is thus believed NSO Group, in this case, compromised people’s gadgets on behalf of a mystery customer or customers – think government spies and police, at best, snooping on citizens or other states’ citizens. The targets are said to have included diplomats, government and military officials, journalists, and human-rights activists, dotted across the planet.
In a post on its website, WhatsApp said the hack, which exploited CVE-2019-3568 to compromise mobile devices without user interaction, targeted 1,400 people total, including at least 100 members of civil society.
This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users
“The complaint alleges [the NSO Group] violated both US and California laws as well as the WhatsApp Terms of Service, which prohibits this type of abuse,” the chat app developer explained. “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”
According to the complaint, NSO Group reverse engineered WhatsApp and developed a program to produce seemingly legitimate WhatsApp network traffic to hijack targeted smartphones that had the application installed. The spyware maker, it is claimed, created a web of WhatsApp accounts to initiate calls that would spread the group’s malware, using servers leased from various companies around the world, including Choopa, Quadranet, and Amazon Web Services, to send these messages.
Specifically, the NSO Group, it is alleged, crafted call initiation messages booby-trapped with malicious code: whether or not the calls were answered, the initiation messages included specially crafted data that, once received and parsed by the application, exploited a buffer-overflow bug and caused the smuggled code to execute on the target phone. That gave the NSO Group a foothold on the handhelds, enough to start snooping on people’s activities, it is claimed.
Furthermore, the initiation messages were crafted to appear to arrive from WhatsApp’s own servers, it is alleged. It is believed the exploitation began on April 29, and stopped by May 10.
“Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers,” the complaint says. “Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device — even when the Target User did not answer the call.”
The court filing suggests a least one member of civil society in Washington, DC, was targeted – a victim’s redacted phone number includes three legible digits, the District of Columbia’s 202 area code. Other targets are understood to be in Europe, Asia, Africa, and the Middle East, as well as North America.
The complaint alleges the NSO Group, and an affiliated corporate entity Q Cyber Technologies, violated America’s Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, and also violated agreed-upon policies and trespassed on its network.
It’s 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
In an op-ed-slash-statement provided to The Washington Post, Will Cathcart, head of WhatsApp, said the affair highlights why tech companies should not be required to intentionally weaken their security systems. “‘Backdoors’ or other security openings simply present too high a danger,” he said.
Technology giants, he said, must do more to protect human rights and must avoid attacking one another. And he endorsed UN Special Rapporteur for Freedom of Expression David Kaye’s call for a moratorium on surveillance technology. That includes facial recognition, a tech WhatsApp’s parent Facebook isn’t ready to disavow.
CitizenLab, a cyber security research group within at the Munk School of Global Affairs and Public Policy at the University of Toronto, Canada, said WhatsApp’s complaint validates concerns that it and similar rights organizations have raised in the past. But fixing this problem, the group said, won’t be easy.
“As it stands, NSO Group and other spyware companies are equipping repressive governments with powerful tools to spy on those who hold them to account,” CitizenLab said in a statement about the WhatsApp attacks. “With powerful surveillance technology such as this roaming free, there is nowhere to hide and no one will be safe from those who wish to cause harm. Not acting urgently on this critical public emergency threatens liberal democracy and human rights worldwide.”
The NSO Group, which last month announced a “new human rights policy and governance framework,” did not respond to a request for comment. ®
Updated to add
After this story was published, NSO Group told us in a statement:
Serverless Computing London – 6-8 Nov 2019