WhatsApp Sues NSO Group

WhatsApp is suing the Israeli cyberweapons arms manufacturer NSO Group in California court:

WhatsApp's lawsuit, filed in a California court on Tuesday, has demanded a permanent injunction blocking NSO from attempting to access WhatsApp computer systems and those of its parent company, Facebook.

It has also asked the court to rule that NSO violated US federal law and California state law against computer fraud, breached their contracts with WhatsApp and "wrongfully trespassed" on Facebook's property.

This could be interesting.

EDITED TO ADD: Citizen Lab has a research paper in the technology involved in this case. WhatsApp has an op ed on their actions. And this is a good news article on how the attack worked.

EDITED TO ADD: Facebook is deleting the accounts of NSO Group employees.

EDITED TO ADD (11/13): Details on the vulnerability.

Posted on October 30, 2019 at 9:36 AM • 46 Comments

Comments

AndersOctober 30, 2019 9:51 AM

Technical background also, what was the vulnerability.

research.checkpoint.com/the-nso-whatsapp-vulnerability-this-is-how-it-happened/

MaximOctober 30, 2019 10:22 AM

We WANT the government to use targeted exploits against personal targets because it prevents a larger motivation and push for mass encryption-defeating surveillance.

DavidOctober 30, 2019 10:28 AM

Citizens Labs‘ reports don’t cover the child molesters and drug criminals that these exploits stop.

An informed public discussion would hear both the LEAs and the Citizen Labs of the world - so we can make our own cost benefit calculation and decide how much of an abuse is tolerable.

Clive RobinsonOctober 30, 2019 11:22 AM

@ David,

Citizens Labs‘ reports don’t cover the child molesters and drug criminals that these exploits stop.

Do you have any evidence that the Pegasus software has been used for that?

The customers of NSO we know of are repressive governments, which generaly means that their interest in those crimes you mention is less than their interest in those who might threaten their position. Thus their "guard labour" knows that the best way to maintain their positions is to ensure those above them have their primary interests met.

gordoOctober 30, 2019 11:27 AM

@ David,

Citizens Labs‘ reports don’t cover the child molesters and drug criminals that these exploits stop.

Are you suggesting that Facebook/WhatsApp would not cooperate in such investigations?

JonKnowsNothingOctober 30, 2019 3:19 PM

@David @All

...how much of an abuse is tolerable.

IM(not)HO

I think the important word in that sentence is ABUSE. No abuse is tolerable.

Get a Warrant. Talk to a Judge. Use the Law AS WRITTEN. Don't exceed your mandate or position. Don't target anyone just because they look or speak differently than you do.

If you don't like a law or want something changed by all means Put it To A POPULAR Vote. Not a secret ballot or back door $$ exchange.

Governments investing money in a foreign company spy-ware systems really need to look a bit closer at who is actually the target. You don't think for a nano second that such software doesn't have multiple PhoneHome pathways? The purchaser's are making an own goal.

tdsOctober 30, 2019 3:37 PM

https://twitter.com/alexstamos/status/1189269036619710465

"Alex Stamos Retweeted Will Cathcart

This is huge. I am really glad to see a tech company put their massive litigation team on the field on behalf of users.

Alex Stamos added,
Will Cathcart
@wcathcart
Today @WhatsApp is taking a stand against the dangerous use of spyware. NSO Group claims they responsibly serve governments, but we found more than 100 human rights defenders and journalists targeted in an attack last May. This abuse must be stopped. https://www.washingtonpost.com/opinions/2019/10/29/why-whatsapp-is-pushing-back-nso-group-hacking/ [this is the 'WhatsApp has an op ed on their actions' link in the original post from above] …"

SpaceLifeFormOctober 30, 2019 4:05 PM

SS7 and SIM is the exploit path.

Zero doubt. Zero.

If a call, never answered, can plant the malware, then it must be SS7 and SIM card.

Remember, the SIM is a computer with storage.

Ismar October 30, 2019 4:28 PM

Great development and it should be extended to include possibilities of prosecuting of SIM card manufacturers and / or ISPs for supplying of a faulty equipment that can cause harm (if this is the way the exploit works).

I am thinking something similar to airbag industrial action recall done to car manufacturers using faulty bags produced by Takata.

It is high time to start treating these as seriously as any other manufacturer faults as they in some instances have potential of causing more harm than the physical faults do.

TimHOctober 30, 2019 4:29 PM

Facebook is deleting the accounts of NSA Group employees.

:) Ah t'ink yer means NSO, old bean.

SpaceLifeFormOctober 30, 2019 4:35 PM

@tds

Someone, that may know some 'stuff' about this wrote:

"If you work for the #NSO group and have yet to resign, think deeply about what the coming years are going to look like for those who stay. It is not hard to imagine individual employees soon facing civil and criminal liability. It's not too late to get out and blow the whistle."

EvanOctober 30, 2019 4:45 PM

@Maxim:

You say that like the government considers it an either/or choice. They will insist on their God-given right to do both - in fact they already do.

SpaceLifeFormOctober 30, 2019 4:53 PM

Sure looks like FB and NSO were in bed.

The lawsuit sure looks like misdirection.

With FB covering their tracks by deleting NSO accounts.

With FB trying to continue their obfuscation over ads.

Compare to Twitter.
Today, Twitter says No political ads, at all.
Globally.


SpaceLifeFormOctober 30, 2019 5:20 PM

SIM card. Note the date.

hxxps[:]//www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flaw-could-affect-millions-of-phones/#759c818217b8

Petre Peter October 30, 2019 7:43 PM

It seems like fundamental human rights are more at risk from cyber weapons simply because they can cause more damage.

MaybeIDon'tKNowAnythingOctober 31, 2019 12:50 AM

Laws don't matter. Warrant's are rubber stamped with little evidence in almost all cases and if it's national security they use secret courts and secret court orders. In some countries you just get black bagged and thrown into a black van never to be seen again. The rules and laws of the day are changed and manipulated if nation states do not like them or work against their agenda

Commercial spyware exists for a reason. Because there is huge demand to control people and bad despotic paranoid governments are everywhere. Most nation states do not have the capability to create malware to a competent degree hence why they buy it from shady companies. Nation states have been buying malware from the underground for 25 years. Where do you think the software engineers at companies like NSO got there start and honed their skills? Instead of posting on a Russian forum or irc channel they now go to companies who employ ex intelligence agency staff and which they know full well will keep quiet as long as they get paid a nivce sum.

Gerard van VoorenOctober 31, 2019 3:33 AM

Facebook is deleting the accounts of NSO Group employees.

Apparently this is the adult way of dealing with their user base. Luckely there is also Diaspora, federated decentralized social media.

But to be honest, I think it's time for you to move, Mark. The teen years are over.

Givon ZirkindOctober 31, 2019 4:19 AM

What about the SODDI defense? (Some other dude did it.) We all agree that NSO made this software and sells this software. But where is the proof that a) NSO sold it to the abusive buyer b) NSO knowingly sold it to a known abusive buyer?

Civilly and criminally, this has always been hard to prove. This is more political than justifiable legal claims. IMHO. It only made it into the court because FB is worth megabucks to afford lawyers, to cook up a case and; was hurt bad by a scandal, wanting to motivate retaliation.

TypoOctober 31, 2019 5:30 AM

"Facebook is deleting the accounts of NSA Group employees."

Reads beautifully, but you probably meant NSO Group.

wiredogOctober 31, 2019 5:32 AM

So. Just FYI. It isn't just Israelis reading WhatsApp. The USG is recommending that everyone in the IC stop using it for personal use, and requiring people stop using it for gov use, immediately.

passivevolcanoOctober 31, 2019 6:07 AM

Firstly, thanks Bruce for the extended links in your little article.

As Citizen Lab say in the piece you linked:

"We believe that remedying this problem will not be easy or simple. It will require a coalition of stakeholders, including governments, the private sector, and civil society to reign in what is now a “wild west” of unmitigated abuse."

I hope that what Facebook and WhatsApp are trying to do with this case is get this discussion moving. I intensely dislike facebook, but if they're going to provide the legal funding to birth this long needed discussion, then good on 'em.


AndersOctober 31, 2019 6:14 AM

Again i see heavy post delete action here.

So why i'm even bothering to contribute?

@Bruce, care to explain?

NSO Pegasus user guide

assets.documentcloud.org/documents/4599753/NSO-Pegasus.pdf

Ergo SumOctober 31, 2019 6:25 AM

Couple of questions...

Once Pegasus malware gets on the smartphone, is there a way detecting its existence?

@SpaceLifeForm...

SS7 and SIM is the exploit path.

If that's the case...

Isn't that similar to the Intel Management Engine (ME) in most of the computers?

The more I read about "computer-within-a-computer", the more it reminds me to my mainframe days. At least on the mainframe, it had a shorter name, LPAR...

Ergo SumOctober 31, 2019 6:47 AM

@Anders...

This quote, from your linked NSO Pegasus user guide, pretty much answers one of my questions:

"SIM replacement: Frequent replacement of SIM cards to avoid any kind of interception"

This is a clear indication of the attack vector and how to protect against it.

At least for a novice, like me...

meOctober 31, 2019 7:04 AM

This article is somehow connected to this recent one:
Former FBI General Counsel Jim Baker Chooses Encryption Over Backdoors
https://www.schneier.com/blog/archives/2019/10/former_fbi_gene.html

Whatsapp decided that having the cpability to read all users messages was too powerful and dangerous capability to have, thus they encrypted the conversations.
I think that no one should have the capability to read every message of every user world wide. not a criminal, not a company not the government. absolute power corrupt absolutly.

@David
From the article linked by Schneier:
> I work ... NSO Group... found and used vulnerabilities in WhatsApp to provide sophisticated tools to prevent the next 9/11.

this is just ridiculous claim with zero evidence supporting it:
- so far we have tons of evidence that they sell to literally every repressive gov on this planet (just read citizen lab, amnesty international and other reports)

-we have evidence that FBI doesn't buy their program because it cost too much and also because FBI have all the necessary capabilities, they don't need to buy from third-party:
https://www.vice.com/en_us/article/3kxk9j/dea-didnt-buy-malware-nso-group-too-expensive

AndersOctober 31, 2019 7:12 AM

@Ergo Sum

OTA (Over The Air) is the culprit here.

Find yourself a SIM card that doesn't have that !"#¤%&/(
JAVA.

meOctober 31, 2019 7:19 AM

@David
> cost benefit calculation

to me it's pretty simple:
number of good citizens: 99%
number of criminals: 1%

number of people which encryption protect: 100%
which means 99% good and 1% bad
i think that my point is clear and there is nothing more to add.

meOctober 31, 2019 7:30 AM

@SpaceLifeForm
it's not a "phone call" but a "whatsapp call" thus a voip one made using internet.
i have not read the details but an attack vector might be the caller name: for example if my name is "me; ping 1.1.1.1" and a program is bugged it might exectute this as a command, so you see "me; ping 1.1.1.1 is calling, tap here to answer".

the problem is always unsanitized user input.

Rolf WeberOctober 31, 2019 8:02 AM

Imagine the vulnerabilty wouldn't have been used for targeted attacks, but to launch a virus outbreak. "Thanks" to their end-to-end encryption, WhatsApp wouldn't have a chance to stop it. But read my lips: Such an attack will come, sooner or later.

tdsOctober 31, 2019 10:25 AM

OT, but might Facebook/Whatsapp/Instagram compete with Twitter and ban political ads? What could go right or wrong with them banning political ads?

Might President Trump be treating Mr. Zuckerberg like President Zelensky somehow?

https://www.nytimes.com/2019/10/30/technology/twitter-political-ads-ban.html

"Twitter Will Ban All Political Ads, C.E.O. Jack Dorsey Says

The action by Twitter is a stark contrast to how Facebook handles political advertising.

SAN FRANCISCO — Twitter said on Wednesday that it would ban all political ads, putting a spotlight on the power and veracity of online advertising and ramping up pressure on Facebook’s chief executive, Mark Zuckerberg, to reverse his hands-off stance..."


AndersOctober 31, 2019 11:38 AM

@tds

Regarding embedded SIM's, in my opinion, no.
You can't change it, swap it, it is soldered to
the printed circuit. If there's Java inside, you
are stuck with it and can't do anything about it.
With normal SIM you can change it to non-Java one.

What i personally think is that those embedded SIM's
are forced on us beside as a cost effective solution also
as a more effective surveillance solution.

Bruce SchneierOctober 31, 2019 12:20 PM

@Anders:

"Again i see heavy post delete action here.

So why i'm even bothering to contribute?"

A single comment of your was edited to remove vulgarity. That is hardly "heavy post delete action." And -- trust me -- your comment was better off with the edit.

SpaceLifeFormOctober 31, 2019 2:13 PM

@Ergo Sum

"Isn't that similar to the Intel Management Engine (ME) in most of the computers?

The more I read about "computer-within-a-computer", the more it reminds me to my mainframe days. At least on the mainframe, it had a shorter name, LPAR..."

Yes, IME is exactly the same, but different. ;-)

LPAR *IS* completely different.

Logical Partitioning is *SHARING*.

It is *NOT* a computer *UNDER* a computer.


SpaceLifeFormOctober 31, 2019 2:39 PM

@me

A VOIP call still has the SS7 dependency.

Note the year.

hxxps://amp.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

In very related news, read this, but keep in mind:

Attribution is hard, very hard.

hxxps[:]//arstechnica.com/information-technology/2019/10/researchers-unearth-malware-that-siphoned-sms-texts-out-of-telcos-network/


tdsOctober 31, 2019 3:37 PM

https://twitter.com/RidT/status/1189962919645073408 Thomas Rid

"Alternative headline: "Top government, military officials secretly hacked through WhatsApp backdoor as Attorney General pleads Facebook to create WhatsApp backdoor"

https://mobile.reuters.com/article/amp/idUSKBN1XA27H

"Exclusive: WhatsApp hacked to spy on top government officials at U.S. allies-sources ...

Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents.

The hacking of a wider group of top government officials' smartphones than previously reported suggests the WhatsApp cyber intrusion could have broad political and diplomatic consequences.

[...]

“It is an open secret that many technologies branded for law enforcement investigations are used for state-on-state and political espionage,” said John Scott-Railton, a senior researcher with CitizenLab.

Prior to notifying victims, WhatsApp checked the target list against existing law enforcement requests for information relating to criminal investigations, such as terrorism or child exploitation cases. But the company found no overlap, said a person familiar with the matter. Governments can submit such requests for information to WhatsApp through an online portal the company maintains.

WhatsApp did not identify the clients of NSO Group, who ultimately chose the targets."

Gee I wonder

loop
who attacked whom
repeat

(more from RidT Twitter) "Reminder from earlier this month. What Barr should be doing is the exact opposite: push Facebook to secure WhatsApp messages

https://www.nytimes.com/2019/10/03/us/politics/barr-whatsapp-facebook-encryption.html

Barr Pushes Facebook for Access to WhatsApp Messages"

SpaceLifeFormOctober 31, 2019 3:48 PM

@wiredog

At this point in time, it should not just be IC to not use WhatsApp.

Read the link above about MESSAGETAP.

Not, just IC.

Not, just WhatsApp.

Congress too. All government people.

All of them.

When SS7/SIM is not secure, no one can tell as the end user, which APT is attacking them.

From a National Security standpoint, they should leave their phone in their car, inside a securely locked Faraday Cage.

And, I would not consider that totally secure.

The ultimately secure path is no cell phone.

Face to face comms, all voice and/or paper notes, burned immediately.

You know, like in the olden days.

Before computers.

Valid wiretaps on POTS lines.

I guess @Clive will still find a hole in my logic.


IsmarOctober 31, 2019 3:58 PM

@tds - good point about Signal - best to ask Moxie and his devs as to why they require the phone number as a Signal handle

SpaceLifeFormOctober 31, 2019 4:28 PM

@tds

RidT knows. Dude reads my mind. Or reverse.

The lawsuit is misdirection, coverup.

@all

ESIM does not just mean 'Embedded', but more importantly, 'Electronic'.

It is a computer with storage, *UNDER* a computer.


Clive RobinsonOctober 31, 2019 5:24 PM

@ SpaceLifeForm,

I guess @Clive will still find a hole in my logic.

Not enough detail for that 0:)

Seriously though, for years I've called the mobile phone "The Dog leash" as it puts you at others beck and call at all hours.

So as a very old cellular phone advert said it,

    Ditch the brick

Has always been good advise, especially for your mental and general well being.

Something I wish idiots in London --and I assume elsewhere-- would learn is that walking down the street with air-buds in and eyes glued to the screen is a good way to committ suicide or upset a man on crutches[1].

But as I've said numerous times in the past,

    All these secure messaging apps are NOT secure.

I just wish people would take that on board, for their own sake.

@ Ismar,

about Signal - best to ask Moxie and his devs as to why they require the phone number as a Signal handle

Why bother, Signal is as insecure, and a waste of time as other secure messaging apps. Be assured that Moxie Marlinspike most definately knows this... But as Upton Sinclair's old saying has it,

    It is difficult to get a man to understand something, when his salary depends on his not understanding it.

Just remember to some Fame, Status and Recognition are more important than "salary" so substitute as appropriate.

[1] I've learnt that the best way to deal with such idiots is to just stop dead as they aproach and when they have almost walked into me scream "Wakie wakie" at them. I guess it's good cardio for both of us ;-)

Sancho_POctober 31, 2019 7:20 PM

The basic issue, even if well intentioned, is the same as LE access to encrypted data / comm would be, call it backdoor or side channel:
It’s for your safety, and it’s a security risk.

As @Clive says, we don’t own these (radio connected) devices, we can’t trust them.

Remember Huang / Snowden ?
https://www.tjoe.org/pub/direct-radio-introspection

FWIW, I’d prefer monitoring the power consumption, if possible.
Any data stored on a weak device has to be deemed “public”, so I have no problem with data extraction (always take care with pictures of meetings, contracts, damaged equipment, whatever could be of interest for the curious).

But I’d not like my phone to silently activate cameras or microphones (how many?) without my knowledge.
This is especially an issue when the phone is used “only” for tethering, but in reality is not …

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.