Israeli firm sued by WhatsApp, accusing it of hacking activists’ phones
Wed 30 October 2019:
Facebook-owned WhatsApp has filed a lawsuit against Israel’s NSO Group, alleging the firm was behind cyber-attacks that infected devices with malicious software.
WhatsApp accuses the company of sending malware to roughly 1,400 mobile phones for the purposes of surveillance.
Users affected included journalists, human rights activists, political dissidents, and diplomats.
NSO Group, which makes software for surveillance, disputed the allegations.
In a court filing, WhatsApp said NSO Group “developed their malware in order to access messages and other communications after they were decrypted on target devices”.
It said NSO Group created various WhatsApp accounts and caused the malicious code to be transmitted over the WhatsApp servers in April and May.
“We believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse,” WhatsApp said in a statement.
“This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users,” said a WhatsApp spokesman. “In our complaint, we explain how NSO carried out this attack, including acknowledgement from an NSO employee that our steps to remediate the attack were effective.”
The company is also supporting calls by the UN special rapporteur for freedom of expression, David Kaye, for a moratorium on this kind of invasive spyware.
“There must be strong legal oversight of cyber-weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world,” WhatsApp said.
“Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”
WhatsApp said it had worked with Citizen Lab, an academic research group based at the University of Toronto’s Munk School, to identify the victims of the attacks and the technology used against them.
WhatsApp’s announcement comes six months after it disclosed it had discovered a vulnerability that allowed cyber-attackers to install surveillance software on to both iPhones and Android phones by ringing targets using the application’s phone function. It was unclear at that time how many of WhatsApp’s 1.5bn users were affected.
Since then, WhatsApp, working alongside Citizens Lab, has been attempting to establish how many attacks were launched in the days before the vulnerability was closed. The company is understood to have been shocked at what it found.
John Scott-Railton, a senior researcher at Citizen Lab, said WhatsApp’s action was “a major positive step forward for human rights protections online and will absolutely set a precedent”.
He accused NSO of acting with disregard to the people who were being targeted. “While telling the public it is concerned about human rights, the commercial spyware industry has attempted to carve out an unaccountable space for itself, whereby virtue of its proximity to governments, it claims it is acting lawfully, yet prefers to disclaim any responsibility for that behaviour when it suits them.”
The WhatsApp lawsuit is not the only one directed at NSO. The company has been accused of targeting Omar Abdulaziz, who was a close associate of Jamal Khashoggi before the Washington Post journalist was murdered in the Saudi consulate in Istanbul last year.
The affected users had numbers from several countries, including Bahrain, the United Arab Emirates and Mexico, according to the lawsuit.
WhatsApp said it is seeking a permanent injunction banning NSO from using its service.
The firm, which was acquired by Facebook in 2014, said it was the first time an encrypted messaging provider had taken legal action of this kind.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted. This means they should only be displayed in a legible form on the sender or recipient’s device.
NSO Group said it would fight the allegations.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” the company said in a statement to the BBC.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
Think your friends would be interested? Share this story!