WhatsApp accused Israeli spyware company NSO Group of hacking 1,400 WhatsApp users in April and May. Among the victims were human rights activists, journalists, lawyers, diplomats and other key government officials, as well as family members. The attacks were carried out with the "Pegasus" malware of the NSO Group, via servers, of which at least one of the NSO Group was assigned.
This is the result of a lawsuit brought by WhatsApp and its parent company Facebook on Tuesday at a US federal district court in San Francisco against the NSO Group and its mother Q Cyber. The background is a hack whatsapp known in May. The software suffered from a vulnerability (CVE-2019-3568) that allowed unauthorized remote access to the device. Attackers had been able to smuggle spyware into the called device through a WhatsApp call, even if the called party did not pick it up.
One of the hackers involved was a lawyer who has filed several lawsuits against the NSO Group. The lawyer turned to the Citizen Lab of the University of Toronto. The Citizen Lab raised the alarm and subsequently supported WhatsApp with education and protective measures for those affected.
The lawsuit is based on the US Federal Law on Computer Fraud and Abuse Act, a similar law of California, possession and breach of contract. The NSO Group is said to have set up WhatsApp accounts to attack other users. When setting up a WhatsApp account, you enter into a contract with WhatsApp, which prohibits such machinations.
The plaintiffs seek compensation and a judicial ban on the NSO Group to use WhatsApp and Facebook. The amount of damages will be set by jurors, which may also be in civil proceedings in the United States.
The NSO Group denies the allegations. NSO technology is being licensed to intelligence agencies and law enforcement agencies "to help them fight terrorism and serious crimes." The NSO Group specifically mentions "pedophile rings and drug barons". Any use against human rights activists and journalists constitutes a breach of contract.
WhatsApp boss Will Cathcart calls on the tech industry and lawmakers to draw three urgent lessons from the attack: "He underlines that technology companies should never be forced to deliberately weaken their security systems," he writes Comment in the Washington Post"Backdoors and other security holes are just too big a threat."
Second, app developers, device manufacturers, and operating system security managers need to work together more closely. And third, companies should not hack against other companies. "Responsible people report vulnerabilities when they are found, they do not use their technology to exploit these gaps, and businesses should not sell services to those who perform such attacks." This is a clear rejection of WhatsApps to the business model of the NSO Group.
The procedure is called WhatsApp v. NSO Group Technologies and is pending at the US Federal District Court for Northern California (Ref. 19-cv-07123).
Hacking (t) Complaints (t) Human Rights (t) NSO Group (t) Pegasus (t) Law (t) Security (t) Espionage (t) Spyware (t) WhatsApp