Facebook and its WhatsApp messenger division on Tuesday sued Israel-based spyware maker NSO Group. This is an unprecedented legal action that takes aim at the unregulated industry that sells sophisticated malware services to governments around the world. NSO vigorously denied the allegations.
Over an 11-day span in late April and early May, the suit alleges, NSO targeted about 1,400 mobile phones that belonged to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials.
To infect the targets with NSO’s advanced and full-featured spyware, the company exploited a critical WhatsApp vulnerability that worked against both iOS and Android devices. The clickless exploit was delivered when attackers made a video call. Targets need not have answered the call or taken any other action to be infected.
Routing malware through WhatsApp servers
According to the complaint, NSO created WhatsApp accounts starting in January 2018 that initiated calls through WhatsApp servers and injected malicious code into the memory of targeted devices. The targeted phones would then use WhatsApp servers to connect to malicious servers allegedly maintained by NSO. The complaint, filed in federal court for the Northern District of California, stated:
In order to compromise the Target Devices, Defendants routed and caused to be routed malicious code through Plaintiffs’ servers—including Signaling Servers and Relay Servers—concealed within part of the normal network protocol. WhatsApp’s Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use Plaintiffs’ servers in this manner.
Between approximately April and May 2019, Defendants used and caused to be used, without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.
100 civil society members from 20 countries
Critics of the spyware industry have long said that NSO and its competitors sell products and services to oppressive governments that use them to target attorneys, journalists, human-rights advocates, and other groups that pose no legitimate threat. Citizen Lab, a University of Toronto research group that tracks hacking campaigns sponsored by governments, volunteered to help Facebook and WhatsApp investigate the attacks on its users. Citizen Lab said among those targeted in the campaign were 100 members of “civil society” from 20 countries.
Citizen Lab said the targets included:
“The commercial spyware industry is one that has tried to carve out an unaccountable space for itself, cozying up to the governments that it sells stuff to while simultaneously denying any responsibility for abuses conducted with its tools,” John Scott-Railton, a Citizen Lab senior researcher, told me. “WhatsApp’s lawsuit, which is important and precedent-setting, shatters that false distinction and makes it clear that they are willing to hold NSO accountable for the Wild West that exists in the spyware industry generally and is reflected in the target set.”
In an email, NSO representatives wrote:
In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human-rights activists and journalists. It has helped to save thousands of lives over recent years.
The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins, and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.
We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights–including the right to life, security, and bodily integrity–and that’s why we have sought alignment with the UN Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.
The suit said that targeted users had WhatsApp numbers with country codes from the Kingdom of Bahrain, the United Arab Emirates, and Mexico. Public reports—including those here, here, and here—have listed the governments of all three countries as NSO customers.
Facebook and WhatsApp shut down the attacks on May 13 with a software update that patched the critical vulnerability. According to the complaint, an NSO employee responded to the move by saying: “You just closed our biggest remote for cellular… It’s on the news all over the world.” According to a statement from WhatsApp, company officials sent a special message to the approximately 1,400 targeted users informing them of the attack.
In an op-ed published by The Washington Post, Will Cathcart, the head of WhatsApp, wrote:
This should serve as a wake-up call for technology companies, governments, and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.
NSO has previously denied any involvement in the attack, stating that “under no circumstances would NSO be involved in the operating… of its technology.” But our investigation found otherwise. Now, we are seeking to hold NSO accountable under US state and federal laws, including the US Computer Fraud and Abuse Act.
Cathcart added: ““While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
Tuesday’s complaint alleges that NSO violated the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and a California law governing breach of contract. The action seeks a permanent injunction barring NSO from accessing WhatsApp servers, creating or using WhatsApp or Facebook accounts, or further violating WhatsApp terms of service.
Besides Facebook and WhatsApp apps and servers, NSO allegedly used servers owned by Amazon Web Services and smaller hosts Choopa and Quadrant. The leased servers connected targeted devices to a network of remote servers that were designed to distribute malware and send commands to devices once they were infected. Tuesday’s complaint said that an IP address assigned to one of the malicious servers was previously used by a subdomain operated by NSO.
Now that Facebook and WhatsApp have taken the unprecedented step of suing a spyware provider for using its servers to target its users, it will be interesting to see if Amazon and the other server hosts mentioned in the complaint follow suit. So far, they haven’t responded to emails seeking comment.