ADVERTISEMENTREMOVE AD

Facebook Sues Israeli Company For Targeting WhatsApp With Spyware 

The NSO Group denied hacking WhatsApp and the allegations and will fight the case against Facebook.

Updated
story-hero-img
i
Aa
Aa
Small
Aa
Medium
Aa
Large

Facebook sued the Israeli hacker-for-hire company NSO Group on Tuesday in U.S. federal court for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with highly sophisticated spyware.

The lawsuit filed in San Francisco is the first legal action of its kind, according to Facebook, involving a nearly totally unregulated realm.

Catch all the coverage on WhatsApp snooping here.

Facebook says NSO Group violated laws including the U.S. Computer Fraud and Abuse Act with a crafty exploit that took advantage of a flaw in the popular communications program allowing a smartphone to be penetrated through missed calls alone.

"It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world," the head of WhatsApp, Will Cathart, wrote in an op-ed published by The Washington Post.

ADVERTISEMENTREMOVE AD

He said that since discovering the malware operation in May, Facebook learned that the attackers were using servers and internet-hosting services previously associated with NSO Group, which has been widely condemned for selling surveillance tools to repressive governments.

NSO Group issued a statement in which it did not directly deny hacking WhatsApp but which said it disputed the allegations and vowed to "vigorously fight them."

“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
NSO Group statement

It said strongly encrypted platforms are used by pedophile rings, drug traffickers and terrorists and that NSO's technologies "provide proportionate, lawful solutions."

Facebook demands in the suit that NSO Group be denied access to Facebook's services and systems and seeks unspecified damages.

Cathart said leaders of tech firms "should join U.N. (free speech) Special Rapporteur David Kaye's call for an immediate moratorium on the sale, transfer and use of dangerous spyware."

"This is huge. I am really glad to see a tech company put their massive litigation team on the field on behalf of users," tweeted Alex Stamos, a Stanford University researcher and former Facebook chief security officer.

John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack "a very scary vulnerability" when it was discovered. "There's nothing a user could have done here, short of not having the app."

Citizen Lab subsequently volunteered to assist Facebook in the investigation.

The lawsuit alleges that malicious code from NSO was sent from 29 April through May 10 over WhatsApp servers. The aim was to infect some 1,400 devices whose users included attorneys, journalists, human rights activists, political dissidents, diplomats and other government officials. It said the targeted phone numbers were in countries including Bahrain, United Arab Emirates and Mexico.

NSO's spyware has repeatedly been found deployed to target such people. Most notably, the spyware was implicated in the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.

In the lawsuit, Facebook alleges that after it publicly announced that it had identified and closed the vulnerability an NSO employee complained "You just closed our biggest remote for cellular .... It's on the news all over the world."

The spyware did not directly affect the end-to-end encryption that makes WhatsApp chats and calls private. It merely used a bug in the WhatsApp software as an infection vehicle.

NSO Group's flagship malware, called Pegasus, allows spies to effectively take control of a phone — remotely and surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal and geo-location data.

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Published: 
Speaking truth to power requires allies like you.
Become a Member
×
×