Why WhatsApp is pushing back on NSO Group hacking
By Will Cathcart
Oct. 29, 2019 at 2:34 p.m. EDT
Will Cathcart is head of WhatsApp, which is owned by Facebook.
In May, WhatsApp announced that we had detected and blocked a new kind of cyberattack involving a vulnerability in our video-calling feature. A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.
Now, after months of investigation, we can say who was behind this attack. Today, we have filed a complaint in federal court that explains what happened and attributes the intrusion to an international technology company called NSO Group.
How can we say this with confidence? As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.
Read the WhatsApp complaint against NSO Group
There was another disturbing pattern to the attack, as our lawsuit explains. It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world. This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.
NSO has previously denied any involvement in the attack, stating that “under no circumstances would NSO be involved in the operating … of its technology.” But our investigation found otherwise. Now, we are seeking to hold NSO accountable under U.S. state and federal laws, including the U.S. Computer Fraud and Abuse Act.
At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us. Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others.
For years, we have worked to stay ahead of those who seek to violate users’ privacy and security. Just as we have physical locks on our doors at home, WhatsApp builds digital locks to protect our private conversations. The primary security system we use is called end-to-end encryption, which works automatically in such a way that only you and the people you are communicating with have the “keys” to your messages and calls.
At the same time, however, surveillance companies are hunting for work-arounds – by implanting spyware directly onto devices. The attack we saw provides several urgent lessons.
First, it reinforces why technology companies should never be required to intentionally weaken their security systems. “Backdoors” or other security openings simply present too high a danger.
Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk. And we all want to protect our personal information and private conversations. That’s why we will continue to oppose calls from governments to weaken end-to-end encryption.
Second, technology companies must deepen our cooperation to protect and promote human rights. App developers, device manufacturers and those who maintain the security of operating-systems providers need to share information to build safer systems. Just as users expect our products to work seamlessly, so too they expect we will work to guard against common threats and to hold attackers accountable.
This includes publicly explaining significant attacks to increase resilience and working with security researchers who can play a crucial role in that. We’re grateful to experts at the Citizen Lab at the University of Toronto for their work in this regard. They volunteered to help us understand who was affected by the attack and engaged with journalists and human rights defenders to help them better protect themselves in the face of these threats.
Third, companies simply should not launch cyberattacks against other companies. Responsible actors report vulnerabilities when they are found; they do not use their technology to exploit those vulnerabilities. Likewise, companies should not sell services to others engaged in such attacks.
Lastly, far more needs to be done to define what amounts to proper oversight of cyber weapons. NSO said in September that “human rights protections are embedded throughout all aspects of our work.” Yet it maintains that it has no insight into the targets of its spyware. Both cannot be true. At a minimum, leaders of tech firms should join U.N. Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.
The mobile phone is the primary computer for billions of people around the world. It is how we have our most private conversations and where we store our most sensitive information. Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere.