On May 14 2019, WhatsApp announced that the breach on its messaging app had “signs of coming from a government using surveillance technology developed by a private company, and it may have targeted human rights groups.” According to the Financial Times, the spyware, in this case, was developed by the Israeli cyber intelligence company NSO Group, called Pegasus.
On 13 May 2019, WhatsApp notified Ireland’s Data Protection Commission (DPC), the messaging app’s lead regulator in the European Union, of a “serious security vulnerability” on its platform. The following day, European regulators confirmed they were investigating the breach as a violation of privacy regulations. In a statement, the DPC said it “understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed.” In response, WhatsApp advised all users to update the application “out of an abundance of caution”. The question is, who launched the attack and who were the targets?
- WhatsApp is used by 1.5 billion people monthly and is a unit of Facebook, with its European headquarters in Ireland.
- A selling point of the app is its high level of security and privacy, with encryption that prevents WhatsApp and third parties from reading messages or listening to calls.
- The Financial Times originally reported on the breach that allowed attackers to install spyware on phones via the app’s voice-calling function.
- A technical advisory published on Facebook’s security website said the breach affected both Android and iPhones
Not your average cybercriminal
According to the Financial Times report, an unknown party tried to access decrypted data on the devices of targeted individuals using malware designed to target communications databases stored on the devices. This vulnerability was reportedly discovered by WhatsApp at the beginning of May and could have allowed third parties to install surveillance software on phones by calling a user via the app’s phone call function. WhatsApp addressed the breach internally before notifying users or regulators. An update to the app was published on May 13.
WhatsApp told Reuters that it was still investigating the breach but believed only a “select number of users were targeted through this vulnerability by an advanced cyber actor.” Jay Rosenberg, a senior security researcher at the antivirus software firm Kaspersky Labs, told Business Insider that “this is government-grade malware that costs millions of dollars”. “Unless you’re the target of some government, then you really have nothing to worry about. Your average cybercriminal is not doing this.”
It comes as no surprise
Electronic Frontier Foundation (EFF), a San Francisco-based non-profit, and Citizen Lab at the Munk School of Global Affairs, part of the University of Toronto, were among the groups notified of the breach by WhatsApp. Eva Galperin, Director of Cybersecurity at EFF, told Reuters that “they believed it was NSO Group, but they also couched it in very careful terms with many caveats because attribution is hard”. According to a 2016 report by the New York Times Pegasus spyware, once installed on a phone, can extract its data and can create new data by using the phone’s microphone and camera to record the user’s surroundings and ambient sounds.
A suspected target, a London-based human rights lawyer, contacted Citizen Lab after receiving suspicious WhatsApp calls. The lawyer is helping a Saudi dissident who has filed a lawsuit against NSO claiming its spyware targeted him and led to the killing of his friend, Saudi journalist Jamal Khashoggi. The lawyer is also leading civil cases against NSO for its selling of the software to the Mexican government and the subsequent killing of several journalists. The Citizen Lab has been researching the NSO Group and deems that the company “fails to engage inadequate due diligence concerning the sale of their Pegasus spyware and its human rights impacts.”
A perfect spy tool
Currently, there are four known legal cases against NSO Group and it is being sued for damages allegedly caused by the sale of its technology. Cybersecurity expert Claudiu Popa told CTV News Channel that “what the NSO Group and companies like that do is focus their efforts on the most popular pieces of software and try to identify vulnerabilities that they can sell; that they can weaponize.” Following the latest breach, the human rights group Amnesty International filed a legal action that was supported by at least 30 individuals claiming that Israel’s Ministry of Defense has put human rights defenders at risk by allowing NSO Group to export its products abroad and that its staff have been specifically targeted. What is for certain is that this is not the last time that we will hear of NSO nor of similar technologies and companies looking to exploit tools at the fingertips of almost the entire planet.
Image: Natanaelginting / Freepik (link)