On Tuesday, WhatsApp and its corporate parent Facebook filed a lawsuit against NSO Group, the Israeil maker of the Pegasus spyware tool used by governments and law enforcement agencies around the world. Technology vendors sue one another all the time, but this suit is far more significant than the run-of-the-mill patent dispute and marks a turning point in the way that powerful technology companies deal with those who abuse their services to target victims.
The suit is the result of an operation that was exposed in May in which attackers were using a previously unknown vulnerability in the WhatsApp messaging system to install a powerful spyware tool on mobile phones. The bug allowed the attackers to run their exploit without any user interaction, simply by calling the device. The operation targeted about 1,400 people, including journalists, lawyers, human rights activists, and diplomats, over the course of about 10 days in late April and early May. Media reports at the time identified the spyware tool used in the attacks as Pegasus, but WhatsApp officials didn’t say anything publicly about that part of the story.
After the company patched the vulnerability, it began investigating the incident, with the help of experts at Citizen Lab, a research and policy team at the University of Toronto that has specialized in this kind of work for many years. The Citizen Lab team set about identifying the victims of the operation while WhatsApp engineers dug into the technical details to see how the attacks worked.
"Here we see the unvarnished reality: more than a 100 individuals being targeted for surveillance, not because they are criminals or terrorists, but because their legitimate exercise of human rights is an irritant to powerful elites, corrupt autocrats, and in some cases even murderous death squads," Ron Deibert, founder and director of the Citizen Lab, said in an email.
In the absence of appropriate safeguards, it is not surprising to see spyware such as this being abused.
In its suit, WhatsApp alleges that NSO Group operators created and used WhatsApp accounts that were then used to target victims and used the WhatsApp Signaling and Relay servers to send the malware to victims’ devices.
“Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code--undetected--to Target Devices over WhatsApp servers. Defendants’ program was sophisticated and built to exploit specific components of WhatsApp network protocols and code,” the suit says.
In an opinion piece in The Washington Post, WhatsApp head Will Cathcart said the company was able to tie the operation directly to NSO Group.
“As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” Cathcart wrote.
“There was another disturbing pattern to the attack, as our lawsuit explains. It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world. This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”
“Governments and companies need to do more to protect vulnerable groups and individuals from these attacks."
The suit against NSO Group is essentially the first of its kind and is clearly meant to send a message to both the company and the broader group of vendors of so-called lawful intercept tools. This is WhatsApp, and by extension Facebook, flexing their considerable legal and technical muscle to show what the consequences of such operations can be. While the suit is somewhat surprising, what may be more surprising is that no other vendor has taken this step before. Many of the larger tech companies in the world regularly move against malicious actors, taking down botnets, suing individual attackers, and dismantling cybercrime networks. And Google has a long-standing policy of notifying users when they are targeted by sophisticated attackers like intelligence agencies or nation-state groups. Those groups sometimes use commercial intrusion tools as part of their operations and the threat analysis teams at the large service providers are quite capable of identifying actors and the tools they’re using.
But until now, companies have shied away from using the legal system to go after the purveyors of those tools. Part of the reason for that may lie in the technical details of how the operations are conducted and who is running them. But the larger reason could be a reluctance to test the waters and be the first to try this approach. WhatsApp has broken that seal now.
The suit is designed to have both punitive and deterrent effects, with WhatsApp asking for monetary damages as well as permanent injunctions that would bar NSO Group from ever running operations over its servers again. Spyware vendors rely on stealth, secrecy, and the discretion of their customers in order to stay below the radar and avoid the wrath of victims, researchers, and tech companies. By filing the suit and calling NSO Group out publicly, WhatsApp is drawing a line in the sand and laying out quite clearly what will happen if other vendors abuse the company’s service to target its users.
“Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere,” Cathcart said.
Citizen Lab's Deibert said his team intends to keep digging into surveillance technology vendors and looking for potential abuses.
"We are undertaking this research because we see the largely unregulated commercial surveillance industry presenting perhaps the greatest single risk to global civil society worldwide. We will continue to investigate carefully the cases of abuse revolving around this incident, and intend to publish the evidence we collect in the public domain," Deibert said.
The only way to mitigate this type of reckless behavior is through stiff penalties that are rigorously enforced.