Social networking giant Facebook is constantly under fire from multiple fronts. It's been blamed for letting its systems influence a presidential election, data being used for profiling, and recently, for its subsidiary WhatsApp's systems being compromised through a surveillance tool designed only for state use.
The zero-day vulnerability that NSO's software used to help governments access user devices first surfaced in May this year. Now, Reuters, citing confidential sources, is reporting that government officials inside the US and its allied countries were targetted through NSO's hacking tools.
WhatsApp's Security Vulnerability Lets Hacking Tool Compromise Security Of Highly-Ranked Government Officials In 20 Countries Including United States
With technology having permanently permeated our daily lives, privacy is a concern that few folks are mindful of. But while users can be forgiven for trusting the products that use for providing them security, the companies that design said products need to be held accountable. Therefore, after a zero-day vulnerability was discovered in WhatsApp's platform, it proceeded to sue the NSO. The act lets the instant-messaging app maker avoid responsibility for a backdoor existing in its servers that allowed trojans and other applications to contact and download dangerous software.
The Reuters report that we've come across today has damming implications from WhatsApp being hacked. It's believed by the publication's sources that high-profile civilian and military institutions, in a list of 20 countries that include the United States and her allies, have had their smartphones compromised through hacking softwares developed by the NSO group. The NSO group's sales are ultimately regulated by the Israeli ministry of defense.
In a statement, NSO claims that it only sells its surveillance software to governments; a statement that separates the company from the consequences of how its products are being used. Reuters' exclusive report raises two serious questions with damning answers.
If NSO's hacking software was sold exclusively to governments, then who hacked the devices? There are only two answers which we can think of. The first suggests that governments who purchased an NSO product lost control of, or let the product be accessed by nefarious individuals. The second, even more controversial, entails that perhaps it's the governments themselves spying on their highly ranked civilian and military employees.
After WhatsApp sued last month, NSO claimed:
The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies the law-enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.
What's immediately clear from the statement above is that NSO believes it isn't accountable if its products are used to spy on non-criminals. For NSO, self-accountability for its products being used ends at the point when a sale has been made to a government organization. However, this principle will stand violated if Facebook has its say on the matter.
Regular readers will be familiar with the term 'Pegasus'. For the uninitiated, Pegasus is the iPhone hacking spyware suite that surfaced in 2016 after Ahmed Mansoor, a UAE based human rights activist had the foresight to not click on a shady link and report said link to the University of Toronto's Citizen Lab.
WhatsApp and Facebook's joint lawsuit against NSO confirms that the Israeli company's other products, in addition to Pegasus, were used to send malware to 1,400 devices to access said devices' location and conduct surveillance. With regards to the nature of this surveillance, Citizen Lab, when commenting on Pegasus exploiting Mansoor's phone in 2016 said that:
Once infected, [the] phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
The suit, mind you, was filed on the 29th of last month. While one would expect that it's governments who use Pegasus based exploits on their own, Facebook claims that NSO continued to provide 'after-sales support to its customers. This is the most implicatory reveal in the entire affair, for it nulls NSO's statement quoted above. An excerpt from the lawsuit confirms that after a Pegasus malware was installed in a device, it could:
...intercept communications sent to and from a device, including communications over iMessage, Skype Telegram, WeChat, Facebook Messenger, WhatsApp, and others.
NSO had direct control of Pegasus during the period that it was installed on a target device. As per Facebook and WhatsApp's claims:
Defendants used a network of computers to monitor and update the version of Pegasus implanted on the victims’ phones. Id. These Defendant-controlled computers relayed malware commands, and data between a compromised phone, Defendants, and Defendants’ customers. This network served as the nerve center through which Defendants supported and controlled their customers’ operation and use of Pegasus. In some instances, Defendants limited the number of concurrent devices that their customers could compromise with Pegasus to 25.
Finally, up to 100 of the 1400 individuals infected by NSO's software belong to the civil society. WhatsApp claims that it received no requests for investigations from government bodies for the data of the targetted individuals. The company has also not made it clear whether it knows the identities of NSO's clients. who selected the targets.
Thoughts? Let us know what you think in the comments section below and stay tuned. We'll keep you updated on the latest.