NSO Group develops cybersecurity technology to help government agencies detect and prevent terrorism and crime. Its products are used by licensed government intelligence and law-enforcement agencies. NSO boasts that its technology has helped prevent terrorism, break up criminal operations, find missing persons, and assist search and rescue teams.
WhatsApp filed the suit in October 2019, accusing NSO Group of creating and exploiting the bug which was used to hack into targets’ phone.
The lawsuit surrounds someone taking advantage of a security breach in WhatsApp in 2019 and using it to install the NSO Pegasus spyware. The spyware was spread to people whenever a user made a WhatsApp call to another user, even if the call went unanswered.
The NSO spyware affected 1,400 devices, including those belonging to journalists and human rights activists.
Pegasus spyware can track a victim’s location, listen to calls, access their messages to read their messages. It can be installed on devices that run on both iOS and Android. Pegasus was first uncovered in 2016 after a failed attempt to load it onto a device belonging to a human rights activist.
The actual perpetrator of the hack itself is not known. WhatsApp, however, maintains that NSO is responsible for what someone does with its software.
The hack was especially painful for WhatsApp as the company prides itself on providing fully encrypted end to end communications. This means that, unlike with telephone calls and text messaging, even with a legal warrant not even law enforcement agencies can spy on a user’s voice or text communications. This is why NDO Group creates spyware like Pegasus.
At the time WhatsApp stated that the attack had, “all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”
Microsoft’s customer security and trust chief, Tom Burt, said NSO should be held accountable for its Pegasus Spyware, no matter who was using it.
“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” said Burt. “We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.”
Last July, a Federal court in California rejected a motion by NSO to dismiss the case. Judge Phyllis Hamilton rejected NSO Group’s argument that it had no role in the targeting of WhatsApp’s users. Judge Hamilton said that it appeared to her that NSO Group was in at least some way responsible for what happened, “even if it was at the direction of their customers.”
Now dozens of Dozens of Al Jazeera journalists have claimed that their smart phones were hacked by someone using tech developed by NSO Group. Thirty six people, including TV anchors and executives, were listed as victims of the hack in a report by Citizen Lab at the University of Toronto.
“The phones were compromised using an exploit chain that we call Kismet,” say the researchers.