Petition to Revoke NSO License as WhatsApp Warns About Israeli Firm's Cyber-weapon Exploit

The Financial Times reports that a vulnerability in the chat app allowed attackers to inject spyware developed by NSO Group into phones

NSO Group logo.

Human rights groups on Monday filed a petition in an Israeli district court asking to revoke the defense export license of cyber surveillance firm NSO Group, while a popular messaging app urged users to upgrade their apps to correct a vulnerability to NSO's software.

The Financial Times reported Tuesday that a loophole in WhatsApp, allowed attackers to inject spyware developed by NSO Group into phones by ringing up targets using the app's phone call function.

Haaretz Weekly Ep. 27

According to the Financial Times, NSO developed an important update to its best-selling software: "using just one simple missed call on WhatsApp, it had figured out a way to drop its payload,” a piece of software called Pegasus that can penetrate the darkest secrets of any iPhone.

>> Revealed: Israel's cyber-spy industry helps world dictators hunt dissidents and gays

Minutes after the attacker dials, "the target phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages or location, and even turns on the camera and microphone to live-stream meetings," according to the Financial Times.

In response, NSO said its technology is licensed only to authorized government agencies "for the sole purpose of fighting crime and terror," and that it does not operate the system itself.

The petitioners who filed to revoke the company's export license claim the firm's Pegasus spyware product has been used in the past, and may still be in use, for the surveillance of human rights activists of Amnesty International and other groups.

The suit claims the defendants have put human rights at risk by allowing NSO to continue exporting its products, undermined the foundations of democratic government, violated Israel’s international commitments and exceeded the authority of the Defense Ministry.

The petition against the Defense Ministry claims that in the summer of 2018 an attempt was made to take control of the mobile phone of an Amnesty staff member, a Saudi human rights worker, using Pegasus – though it is not clear whether this attempt was successful.

Amnesty says that in August 2018, a staff member received a message in Arabic which contained a link “purporting to be about a protest outside the Saudi Arabian embassy in Washington. It was sent at a time when Amnesty International was campaigning for the release of Saudi women human rights activists. If clicked, the link would have secretly installed Pegasus software, allowing the sender to obtain near-total control of the phone.”

The staff member did not click on the link, and the organization’s Tech Amnesty team that investigated the incident thinks the phone was not hacked in this way – but says it is impossible to know whether the surveillance program was installed on the phone in a another way.

The plaintiffs say this was not a one-time incident, but part of a continuing program of using spyware against human rights groups and activists. The suit claims that Amnesty and the Citizen Lab of the University of Toronto have documented similar attempts in the past and presented five examples.

Such attempts could have a “chilling effect” on activists, said the plaintiffs. They also refer to a lawsuit filed in September 2018 requesting to revoke NSO’s export license to Mexico based on reports that its software was being used to target human rights activists there. A gag order was imposed on the ruling, but the present suit claims the necessary conclusions from the previous suit were not implemented.

The suit was filed by attorney Eitay Mack in the name of about 30 members and supporters of Amnesty International Israel and other human rights activists against the head of the Defense Export Controls Agency in the Defense Ministry, Rachel Hen, Prime Minister Benjamin Netanyahu in his role as defense minister and the Foreign Ministry.

Amnesty said the Defense Ministry has “ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world are at risk.”

File Photo: NSO Company offices in Herzliya, August 25, 2016
Daniella Cheslow,AP

Pegasus, NSO’s flagship product, enables almost total and clandestine control over a cellphone. It can determine the phone’s location, tap the phone and record calls. It can also be used as a microphone to listen to anything nearby and can enable the camera remotely. All mail and text messages can be read – and written – and apps can be downloaded. Any other information on the phone, such as pictures, videos, reminders, calendars, contacts, and so on may also be accessed.

In its response, NSO said it investigated "any credible allegations of misuse and if necessary, we take action, including shutting down the system."

Under no circumstances, said the statement, "would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies." 

"NSO would not or could not use its technology in its own right to target any person or organization, including this individual."