NSO, Not Government Clients, Operates Its Spyware

jojowombl shares a report from The Guardian: Legal documents released in ongoing US litigation between NSO Group and WhatsApp have revealed for the first time that the Israeli cyberweapons maker -- and not its government customers -- is the party that "installs and extracts" information from mobile phones targeted by the company's hacking software. The new details were contained in sworn depositions from NSO Group employees, portions of which were published for the first time on Thursday.

It comes five years after WhatsApp, the popular messaging app owned by Facebook, first announced it was filing suit against NSO. The company, which was blacklisted by the Biden administration in 2021, makes what is widely considered the world's most sophisticated hacking software, which -- according to researchers -- has been used in the past in Saudi Arabia, Dubai, India, Mexico, Morocco and Rwanda. [...] At the heart of the legal fight was an allegation by WhatsApp that NSO had long denied: that it was the Israeli company itself, and not its government clients around the world, who were operating the spyware. NSO has always said that its product is meant to be used to prevent serious crime and terrorism, and that clients are obligated not to abuse the spyware. It has also insisted that it does not know who its clients are targeting. [...]

To make its case, WhatsApp was allowed by Judge Phyllis Hamilton to make its case, including citing depositions that have previously been redacted and out of public view. In one, an NSO employee said customers only needed to enter a phone number of the person whose information was being sought. Then, the employee said, "the rest is done automatically by the system." In other words, the process was not operated by customers. Rather NSO alone decided to access WhatsApp's servers when it designed (and continuously upgraded) Pegasus to target individuals' phones. A spokesperson for NSO, Gil Lainer, said in a statement: "NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system. We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so."

The question should be, who has the kill switch?

[evanh]

When asked like that, it's pretty clear NSO always retain the ability to disable the software. After all, they're always going to want to control/update who it can be used against. Not unlike being able to cut off the supply of munitions.

Re:

[Mirnotoriety]

> who has the kill switch?

Mossad ASIO BND DGSE DIA FSB GCHQ NSA

Time for Interpol to get involved?

[Gravis Zero]

I'm no lawyer but if you keep doing business with a government that violates human rights of the people the you provide information on, you are an accomplice to the crime.

Re:

[Valgrus Thunderaxe]

Which government is this, specifically?

Re:

[Gravis Zero]

Try reading the summary because there's a list.

Re:

[Gravis Zero]

This is for you: https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: Time for Interpol to get involved?

[MrNaz]

Pointing you to Interpol was a perfectly sound answer.

Which laws? The ones Interpol has been commissioned to enforce.

By whom? The governments that signed the treaty bringing Interpol into existence.

Re:

[ravenshrike]

Yeah... one of the Bucks county electoral commissioners is on video stating that she knows counting the votes in question is illegal, but she's going to vote to do it anyway.

https://x.com/greg_price11/sta... [x.com]

Re:

[clovis]

Whatsapp is bringing a civil suit in United States courts in which, among other things, NSO is accused of violating the CFAA in a way that has harmed Whatsapp.
The reason Interpol perhaps should get involved is the NSO's violation of anti-hacking laws across numerous countries

https://cyberscoop.com/wp-cont... [cyberscoop.com]

Re:

[iAmWaySmarterThanYou]

So Interpol needs to get involved in a civil case? Or they are going to enforce local laws on foreigners who did things in their foreign countries that weren't illegal in their own countries?

Please explain how that works.

Do you think the FBI should enforce American laws in other countries on foreigners? Would it be ok if, for example, the FBI enforced American laws in Europe on European subjects for doing things that are legal in Europe and did those things in Europe?

Re:

[clovis]

OK, I'll explain how that works.
Just about every every advanced country in the world has similar laws, and they have agreements for enforcing certain kinds of laws across borders. Cybercrimes are among these laws. Israel has anti-hacking and privacy protection laws similar to the CFAA.
Interpol has fighting cybercime as part of its mandate. Interpol has 196 member countries.
https://www.interpol.int/en/Cr... [interpol.int]

Now it's your turn. Please explain how you don't already know this.

How is Whatsapp case related to this

Re:

[iAmWaySmarterThanYou]

I understood all that. No need to explain. You completely miss my point. I wonder if that was intentional, so I'll be explicit. NSO is an Israeli company. They did whatever they did on Israeli territory. What is Interpol going to do? Fly to Tel Aviv and arrest the CEO and engineers?

Of course not. They can press whatever charges they like in Europe. Nothing will come of it. Pointless charges that can't be enforced and won't be defended against are nothing but pure virtue signal.

If this situation so

Re:

[iAmWaySmarterThanYou]

Have you not been on this thread?

Please read what others have actually said and my reply before calling me stupid.

Re:

[drinkypoo]

Yeah, but who isn't doing it? All the finest people in the parts of the world that care about Interpol are using NSO's services.

Re:

[Gravis Zero]

Yeah, but who isn't doing it?

Presently, the US government. No idea about which E.U. countries are or are not using them.

All the finest people in the parts of the world that care about Interpol are using NSO's services.

European governments cutting them off wouldn't be a huge ask. Do remember that all things are replaceable, especially the NSO. Their downfall will leave a vacuum and you can be sure that someone will step in to fill it.

Re:

[drinkypoo]

Do remember that all things are replaceable, especially the NSO. Their downfall will leave a vacuum and you can be sure that someone will step in to fill it.

If what they are doing was trivial, others would be known for doing it as successfully as they are.

Re:

[Gravis Zero]

There are actually a lot of security firms finding exploitable bugs. The difference is that this one decided to exploit them for money rather than report them.

NSO isn't a group of super hackers, they are normal security researchers with leadership that is indifferent to the people they hurt.

Simple test

[spaceman375]

Purchase the software. Give it the phone numbers of the executives, board members, and employees of NSO. See what response you get. This will tell you if NSO controls, or at least knows, who is targeted. If you actually get any real data, I'd suggest that this would be one of the rare times where doxxing is appropriate.

Re:

[ravenshrike]

Nah, that could just as easily be a pre-programmed blacklist of numbers that it wouldn't process. Also, the idea that an automated process dependent on data entry by the user isn't controlled by the one who set it in motion is more than a bit silly.

Re:

[retchdog]

The first sentence is correct. Let's examine the second using a more consumer-oriented form of spyware called "Amazon Alexa," which is fairly representative of the business model used by big tech companies.

Let's see: Alexa is an automated process, check. Alexa is dependent on data entry by the user, check. The user sets the "automated process... in motion" by speaking a voice command.

Okay, so far so good. Now, there's one more condition left: does the user control Amazon Alexa? Uh, no. By law and in practic

I saw that back in 2019 too

[TrancePhreak]

Glad to see more remember too! Don't forget, they have exploit injection at factory some places too. You did a great job with the write up.

Still not sure how this is legal

[kmoser]

When a 14-year-old writes an exploit that lets you hack into anyone's phone, he gets busted. When a company does the same thing, they get customers.

Re:

[Valgrus Thunderaxe]

Please cite exactly which laws were broken in this case.

Re:

[Gibgezr]

I'm Canadian, under the Criminal Code of Canada there are several sections which apply to "hacking", here's an easy one:
Section 184: Any person who knowingly intercepts a private communication, by means of any electro-magnetic, acoustic, mechanical or other device, is guilty of an indictable offence carrying a maximum penalty of five years' imprisonment.

Re:

[ravenshrike]

Wow... just wow. Using a thin glass cup to listen to a conversation through a solid wooden door would count as hacking in Canada.

Re:

[codebase7]

In the US, the Computer Fraud and Abuse Act. (Because most devices interact with the Internet, they count as a "protected computer" under the law.) Specifically, 18 U.S.C. 1030(a)(5), 18 U.S.C. 1030(a)(6), 18 U.S.C. 1030(a)(7), and 18 U.S.C. 1030(a)(8).

But notably only if the US government or it's law enforcement agencies are not performing an investigation into said protected computers. That's allowed under 18 U.S.C. 1030(f).

TL;DR: It's illegal if NSO was to hack an iPhone of a US citizen (or even

Nice!

[sosume]

| "To make its case, WhatsApp was allowed by Judge Phyllis Hamilton to make its case"

maybe they could have made their case if the Judge had made its case to make the case..

Ok

[Bahbus]

And, a spokesperson for humanity said in a statement: "Gil Lainer is an uneducated moron who doesn't even understand the words coming out of his mouth. Not to mention that both NSO Group and the Israeli government are terrorist organizations and cannot be trusted with anything."