Facebook and its WhatsApp messenger division on Tuesday sued Israel-based spyware maker NSO Group. This is an unprecedented legal action that takes aim at the unregulated industry that sells sophisticated malware services to governments around the world. NSO vigorously denied the allegations.
Over an 11-day span in late April and early May, the suit alleges, NSO targeted about 1,400 mobile phones that belonged to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. To infect the targets with NSO's advanced and full-featured spyware, the company exploited a critical WhatsApp vulnerability that worked against both iOS and Android devices. The clickless exploit was delivered when attackers made a video call. Targets need not have answered the call or taken any other action to be infected.
Routing malware through WhatsApp servers
According to the complaint, NSO created WhatsApp accounts starting in January 2018 that initiated calls through WhatsApp servers and injected malicious code into the memory of targeted devices. The targeted phones would then use WhatsApp servers to connect to malicious servers allegedly maintained by NSO. The complaint, filed in federal court for the Northern District of California, stated:
In order to compromise the Target Devices, Defendants routed and caused to be routed malicious code through Plaintiffs' servers—including Signaling Servers and Relay Servers—concealed within part of the normal network protocol. WhatsApp's Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp's Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use Plaintiffs' servers in this manner.
Between approximately April and May 2019, Defendants used and caused to be used, without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers. Once Defendants' calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.
100 civil society members from 20 countries
Critics of the spyware industry have long said that NSO and its competitors sell products and services to oppressive governments that use them to target attorneys, journalists, human-rights advocates, and other groups that pose no legitimate threat. Citizen Lab, a University of Toronto research group that tracks hacking campaigns sponsored by governments, volunteered to help Facebook and WhatsApp investigate the attacks on its users. Citizen Lab said among those targeted in the campaign were 100 members of "civil society" from 20 countries.
Citizen Lab said the targets included:
- multiple prominent women who have been targeted by cyber violence
- prominent religious figures from multiple religions
- well-known journalists and television personalities
- human-rights defenders
- lawyers working on human rights
- officials at humanitarian organizations
- individuals who have faced assassination attempts and threats of violence, as well as their relatives
"The commercial spyware industry is one that has tried to carve out an unaccountable space for itself, cozying up to the governments that it sells stuff to while simultaneously denying any responsibility for abuses conducted with its tools," John Scott-Railton, a Citizen Lab senior researcher, told me. "WhatsApp's lawsuit, which is important and precedent-setting, shatters that false distinction and makes it clear that they are willing to hold NSO accountable for the Wild West that exists in the spyware industry generally and is reflected in the target set."
In an email, NSO representatives wrote:
In the strongest possible terms, we dispute today's allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human-rights activists and journalists. It has helped to save thousands of lives over recent years.
The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins, and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO's technologies provide proportionate, lawful solutions to this issue.
We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights–including the right to life, security, and bodily integrity–and that's why we have sought alignment with the UN Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.
The suit said that targeted users had WhatsApp numbers with country codes from the Kingdom of Bahrain, the United Arab Emirates, and Mexico. Public reports—including those here, here, and Read More – Source
