On the WhatsApp 0day and legal action against NSO Group
The Israeli spyware firm NSO Group is in the news again today. Facebook discovered a critical vulnerability in the WhatsApp messenger apparently being leveraged in attacks set to install NSO Group’s Pegasus spyware on the targets’ phones1. Facebook (who owns WhatsApp) announced today the discovery, released an emergency update for WhatsApp and disclosed some details2. The vulnerability seems to lie in WhatsApp’s VoIP implementation, and would allow the attackers to remotely infect a mobile device just by instantiating some video calls through the app. Because no interaction on the victim’s part is needed, this exploit is being referred to on the press as “0-click” (zero-click).
There are some considerations I would like to share in reaction to this story.
Firstly, while it is a significant story and the exploit discovered by Facebook and likely developed by NSO Group is potent and worrying, we should not consider this an isolated or unprecedented case. Unfortunately, so called “0-click” exploits are more common than it appears on the press, and blaming WhatsApp for this security flaw is shortsighted, as we can surely expect competitor apps to be equally targeted and most likely already exploited. As a matter of fact, only few months ago Reuters reported that the UAE exploited similar vulnerabilities in iMessage as part of “Project Raven”3. Essentially, because an exploit in WhatsApp was now discovered, it does not mean other apps are inherently more secure. If anything, it speaks to the difficulty to uncover these attacks even by large and resourceful security teams such as that of Facebook, let alone by smaller organisations.
The amount of documented cases of targeting of journalists and human rights defenders using NSO Group’s products and services is evergrowing. And although we expect more to come to light in the future, all that we know so far is most likely a small fraction of the whole. Attacking and infecting mobile devices is a difficult, but not impossible, task because of the many security mitigations and lockdowns baked into mobile platforms, such as Android and even more so iOS. However, these security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology. Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted. Last August, for example, we discovered one of our Amnesty staff members was targeted with Pegasus4 but whether others were too is not possible for us to confirm. Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.
The darker reality is that NSO Group is just one of many, many more surveillance firms operating in the same space. NSO is getting caught in public more regularly probably because of their larger market share, but also because there is existing documentation for security researchers out there, such as those at Facebook who discovered this WhatsApp exploit, who can at least marginally follow NSO Group’s breadcrumbs. For this we can thank Ahmed Mansoor, who first came forward with messages that led to the discovery of Pegasus, and who is now enduring a hunger strike in the jail where he’s serving an unjust 10 years sentence5. Additionally, I believe the technical limitations I described earlier also contribute to the reason why not more similar exploits and spyware are discovered.
Ultimately, human rights defenders are losing the most. The widespread use of exploits and spyware, the seemingly unaccountable business of the firms producing them, and a worrying lack of forensics and intrusion detection technologies available to members of civil society, all contribute to a sense of dooming inevitability. That is why we, at Amnesty International, are taking action. On Monday, we have filed a legal complaint to the Israeli Minister of Defense requesting the withdrawal of the export license for NSO Group6. Amnesty along with many other organisations have also demanded transparency and accountability to Novalpina Capital and the other financial institutions invested in the company7. These legal battles are new tactics that will be put to test over the next years in courts.
In the meantime, our Digital Security Lab at Amnesty International and all our technologists around the world have been working hard to build capacity to properly support individuals at risk. While publications are important for advocacy and awareness, I believe they are not enough alone. We need to seriously invest in providing human rights defenders with the practical means and the tools to prevent and respond to cyber attacks effectively. We are working towards this goal, and I am looking forward to share more about this in the future.
As always, if you have information to share that can help us discover and stop campaigns of illegitimate hacking of members of civil society, don’t hesitate to get in contact with me8.
1: Israeli Firm Tied to Tool That Uses WhatsApp Flaw to Spy on Activists - The New York Times
2: Facebook
3: Exclusive: Ex-NSA cyberspies reveal how they helped hack foes of UAE
4: Amnesty International Among Targets of NSO-powered Campaign | Amnesty International
5: UAE: Ahmed Mansoor enters fourth week of hunger strike to protest unfair 10-year sentence | Amnesty International
6: Israel: Amnesty International engages in legal action to stop NSO Group’s web of surveillance | Amnesty International
7: Open letter to Novalpina Capital, CC: NSO Group, Francisco Partners
8: Contacts - Nex