Facebook sues 'cyber intelligence' company NSO Group over spyware tools

Facebook claims NSO Group took advantage of vulnerabilities in WhatsApp to propagate spyware

Facebook has filed suit against ‘cyber intelligence' firm NSO Group, claiming that it has taken advantage of vulnerabilities in Facebook's WhatsApp messaging software to propagate spyware.

According to Facebook, NSO infected around 1,400 users in 20 countries were targeted with video-calling malware, taking advantage of a buffer overflow vulnerability in the WhatsApp voice-over-IP stack that enabled remote code execution attacks "via a specially crafted series of RTCP [real-time transport protocol] packets sent to a target's phone number".

The nature of the attack did not require targeted users to answer the calls they received

The lawsuit claims that the NSO-developed Pegasus spyware toolkit, which has also been deployed against target Amnesty International, according to the human rights organisation, was adapted to take advantage of the flaw, targeting the WhatsApp users during a 14-day period between April and May.

WhatsApp argues that the attack, which it claims targeted human rights lawyers, prominent religious figures and well-known journalists, violated both US and Californian laws in an "unmistakable pattern of abuse".

The company messaged the users it believes were affected informing them of the attack after it was discovered in May this year. "The nature of the attack did not require targeted users to answer the calls they received. We quickly added new protections to our systems and issued an update to WhatsApp to help keep people safe. We are now taking additional action, based on what we have learned to date," it added.

Our technology is not designed or licensed for use against human rights activists and journalists

In an op-ed in The Washington Post, WhatsApp global head Will Cathcart claimed that the company is confident in its assertion that NSO was behind the attacks: "We learned that the attackers used servers and internet-hosting services that were previously associated with NSO.

"In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful."

NSO Group, however, has strongly denied any involvement and said in a statement that the company would "vigorously fight" WhatsApp's lawsuit.

"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years," a spokesperson claimed.

"We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights - including the right to life, security and bodily integrity - and that's why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights."

WhatsApp's lawsuit includes a demand for a permanent injunction blocking NSO from attempting to access WhatsApp's computer systems and those of parent company Facebook.

Facebook has also asked the court to rule that NSO violated US federal law and California state law against computer fraud and "wrongfully trespassed" on Facebook's property.

"This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users," WhatsApp said.

"In our complaint, we explain how NSO carried out this attack, including acknowledgement from an NSO employee that our steps to remediate the attack were effective."