Cybersecurity

Lessons (So Far) From WhatsApp v. NSO

By Nicholas Weaver
Tuesday, November 5, 2019, 1:29 PM

NSO Group, an Israeli vendor of “lawful” hacking tools designed to infect a target’s phone with spyware, is regarded by many as a bad actor. The group claims to be shocked when its products are misused, as they have been in Mexico, Saudi Arabia and the United Arab Emirates. One incident might be excusable, but the group’s continued enabling of misbehavior has resulted in well-earned enmity. Recently, Facebook struck back.

NSO Group deployed a weaponized exploit for Facebook’s WhatsApp messenger, integrated it into its Pegasus malcode system, and offered it to its customers (a mix of legitimate government agencies and nefarious government actors) interested in hacking WhatsApp users beginning in April. This was a particularly powerful exploit because it required no user interaction and the only sign of the exploit a user might discover would be a series of “missed calls” received on the user’s phone. Facebook patched the vulnerability on May 13, blocking the NSO campaign.

Facebook wasn’t satisfied with simply closing the vulnerability. In cooperation with CitizenLab, Facebook identified more than 100 incidents in which NSO Group’s WhatsApp exploit appeared to target human rights activists and journalists. In total, Facebook and CitizenLab identified 1,400 targets (which apparently also included government officials in U.S. allied governments). They then filed a federal lawsuit against NSO Group, closed NSO Group member accounts, and, most damaging of all to NSO’s customers, sent a notice to all identified victims alerting them of the attack. This meant that all targets, both dissidents and drug lords alike, were notified of this surveillance.

The lawsuit will be a case to watch. Facebook has already revealed a large amount of detail concerning NSO Group’s internal workings, including the hands-on nature of its business model: NSO Group actively assists countries in hacking targets. For example, we now know that while an NSO Group employee may not press the “Enter” key for a target, NSO employees do act to advise and consult on targeting; and NSO Group is largely responsible for running the infrastructure used to exploit targets and manage implants. Expect more revelations like this as the case proceeds.

Facebook’s response also represents a turning point in how tech companies respond to misuse of lawful hacking tools. Previously there has been a reluctance to blanket-notify targets of these sorts of attacks. Just because a piece of “lawful” spyware may be misused says nothing about any particular target. The same software used to target political dissidents may also be used for legitimate criminal investigations. After all, the New South Wales police used a similar often-misused program, FinFisher, to hack criminal targets after obtaining warrants. Not notifying identified victims was intended to prevent damage to law enforcement activities. This practice came at the cost of protecting bad actors.

The equities on victim notification have shifted as a result of NSO Group’s continued acquiescence to abuse. Facebook notified every target, activist and criminal alike, hampering the efforts of both bad actors’ surveillance and legitimate law enforcement. In the short term, this will damage some ongoing investigations because legitimate law enforcement targets have now been alerted to government surveillance. In the long term it will hopefully fracture the market, encouraging law enforcement to use vendors that won’t tolerate abusive use.

Finally, the social media giant’s response shows that Facebook’s hoarding of metadata isn’t categorically bad for users. Facebook retains WhatsApp call metadata in hopes of extracting some value out of it down the road. Compare this with Signal, which deliberately does not retain such metadata. Normally discarding metadata, like Signal does, benefits users because it enhances privacy. But, in this case, Facebook’s data retention ended up helping some users by enabling Facebook to determine who was targeted for attack by NSO Group.

Facebook’s retaliation is an evolving story and an interesting development in the continued proliferation of exploit tools. Now, if only companies would actively notify victims when China launches repressive hacking campaigns.

Topics: