In a landmark move, WhatsApp and its parent company Facebook are suing Israel’s NSO Group for developing and deploying a WhatsApp exploit earlier this year that they claimed this week in court filings was used to target the phones of over 1,400 “attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials” around the world.
The attacks, between April 29, 2019, and May 10, 2019, used a vulnerability in Whatsapp’s video-calling feature. This allowed malicious code to be injected into the memory of a target device via a video call —even when the targeted user did not answer the call, the court filings revealed Tuesday. Targets included individuals in Bahrain, Mexico and the United Arab Emirates.
Facebook and WhatsApp are suing the NSO Group under U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act: “The Court has personal jurisdiction over Defendants because they obtained financing from California and directed and targeted their actions at California and its residents, WhatsApp and Facebook… [and] because Defendants agreed to WhatsApp’s Terms of Service by accessing and using WhatsApp”, the companies note in the complaint.
Details of the court cause were first detailed in an op-ed in the Washington Post on Tuesday 29 October by Head of Whatsapp, Will Cathcart. Former Facebook CISO Alex Stamos tweeted in response: “This is huge. I am really glad to see a tech company put their massive litigation team on the field on behalf of users.
WhatsApp Suing NSO Group: “Attempts to Cover their Tracks were not Entirely Successful”
WhatsApp’s Will Cathcart said that despite denials by NSO, Facebook had convincingly linked the attacks to NSO infrastructure.
In an article in the Washington Post, he wrote: “We learned that the attackers used servers and Internet-hosting services that were previously associated with NSO.
“In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO… While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
An NSO Group spokesman said: “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years. The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.
“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights – including the right to life, security and bodily integrity – and that’s why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.”
WhatsApp meanwhile took the opportunity to hit back at growing pressure from governments, including the UK, to build backdoors into end-to-end encrypted messaging services. Cathcart wrote: “[This] reinforces why technology companies should never be required to intentionally weaken their security systems.
“Backdoors” or other security openings simply present too high a danger. Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk.,we will continue to oppose calls from governments to weaken end-to-end encryption.”
The attack itself — which formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings — .was sophisticated and “built to exploit specific components of WhatsApp network protocols and code” the complaint alleges.
A security researcher at Google’s Project Zero, Maddie Stone, earlier this month meanwhile identified “high severity” Android zero day that affects a wide range of fully patched modern smartphones, including Samsung’s Galaxy S9. The bug was being actively exploited by attackers in the wild, and has also been attributed by Google’s threat team to the NSO Group.