Facebook Sues Spyware Maker Over WhatsApp ExploitSocial Network Accuses Pegasus Malware Maker NSO Group of Violating the Law
Facebook is suing NSO Group, an Israeli spyware company, alleging it developed a potent zero-day exploit to spy on WhatsApp messages from diplomats, journalists, human rights activists and political dissidents.
Facebook alleges the company violated the law by reverse-engineering its WhatsApp messaging app to develop an exploit that could deliver malware called Pegasus to targeted devices merely by an attacker initiating a video call to a device.
"Pegasus was designed, in part, to intercept communications sent to and from a device, including communications over iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp and others," according to the lawsuit, filed in federal court in San Jose, California.
The exploit served as a startlingly effective strike that routed around security measures Facebook has built into WhatsApp, including end-to-end encryption, and in a way that didn't involve user interaction, Facebook says. It also served as a warning of the dangers of relying on any messaging app for sensitive communications due to the potential of unknown software flaws (see Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
In a Tuesday column in The Washington Post, WhatsApp CEO Will Cathcart writes that Facebook is confident that NSO Group is behind these attacks.
"We learned that the attackers used servers and internet-hosting services that were previously associated with NSO," Cathcart writes. "In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful."
Some surveillance industry watchers contend that NSO Group sells its tools to governments with poor human rights records and opaque legal processes. In a statement, NSO Group says: "In the strongest possible terms, we dispute today's allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years."
Buffer Overflow in VoIP Stack
Facebook announced on May 13 that it had detected abnormal call patterns and had patched a vulnerability used by an advanced attacker.
The vulnerability, CVE-2019-3568, was a buffer overflow in WhatsApp's VoIP stack that facilitated remote code execution. It could be exploited by sending a series of crafted RTCP - for real-time transport control protocol - packets to a phone number, Facebook said.
The packets emulated legitimate WhatsApp network traffic, according to the lawsuit. The malicious code was embedded within call initiation messages and appeared to come from WhatsApp's signaling servers.
Even if a user did not answer the call, the malware was injected into the memory of a device. The malware was a dropper, which then downloaded a spyware program called Pegasus to the device, where it had access to communications and other data, Facebook alleges.
Between April and May, Facebook alleges that 1,400 devices were infected, including those of senior government officials, diplomats, political dissidents, human rights activists, attorneys and journalists. The targeted devices were located in places such as Bahrain, United Arab Emirates and Mexico. In a FAQ, WhatsApp says "we believe this attack targeted at least 100 members of civil society."
In the lawsuit, Facebook alleges that an NSO employee - who isn't identified by name - complained after the vulnerability had been patched.
Facebook alleges that NSO Group violated the U.S. Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, as well as its terms of service, and also trespassed on its property. It is seeking damages as well as a permanent injunction banning NSO Group from its systems.
Commercial Spyware: Should It Be Regulated?
WhatsApp's Cathcart says that although NSO Group has denied responsibility for the attack, "our investigation found otherwise."
Citizen Lab, a think tank at the Munk School of Global Affairs at the University of Toronto, which studies surveillance software and attacks, has long raised concerns over the use of spyware against human rights activists and dissidents. In a blog post on Tuesday, Citizen Lab says it assisted WhatsApp in identifying targets of the attack.
"Among the many companies Citizen Lab has tracked, NSO Group stands out in terms of the reckless abuse of its spyware by government clients," Citizen Lab says, citing its own research into NSO Group.
Citizen Lab is one of a number of organizations that backs the building of safeguards into commercial spyware, which would support human rights frameworks and transparency.
"We believe that remedying this problem will not be easy or simple," Citizen Lab says. "It will require a coalition of stakeholders, including governments, the private sector and civil society to reign in what is now a 'wild west' of unmitigated abuse."
Cathcart says the attack spelled out several "urgent" steps Facebook needed to take, including reinforcing its assertion that governments should not force companies to build backdoors into their applications. The U.S., U.K. and Australia, however, are among the countries that have criticized Facebook and others for building end-to-end encrypted messaging applications that can securely protect content, even against lawful eavesdropping (see: Australia Pushes 'Five Eyes' for Tools to Counter Encryption).
"Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk," Cathcart writes. "And we all want to protect our personal information and private conversations. That's why we will continue to oppose calls from governments to weaken end-to-end encryption."