Facebook launched a new front in the battle over encryption yesterday by suing the Israeli spyware firm NSO Group for allegedly hacking WhatsApp, its encrypted messaging service, and helping government customers snoop on about 1,400 victims.
The targets included at least 100 journalists, political dissidents and human rights activists across 20 countries including the United Arab Emirates, Bahrain and Mexico, WhatsApp head Will Cathcart said in a Post op-ed.
The lawsuit marks the first time a messaging service has sued a spyware company for undermining its encryption and it could prompt a slew of suits against companies that have developed encryption workarounds bolstering governments' ability to spy on their citizens.
Facebook was also quick to connect the suit with U.S. government efforts to give law enforcement special access to encrypted communications, saying the alleged hack "reinforces why technology companies should never be required to intentionally weaken their security systems.”
The Justice Department, along with allies in the United Kingdom and Australia, has charged that expanding encryption on Facebook services will make it easier for child sexual predators to share illegal images on the site or to solicit children. But Facebook says that strengthening encryption protects users from all manner of nefarious actors, outweighing any damage.
“This should serve as a wake-up call for technology companies, governments and all Internet users," Cathcart said. "Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk."
The hack, which WhatsApp first alerted users to in May, was strikingly advanced. It gave hackers access to victims’ private messages, location data and other information just by making it look like they missed a call, according to a write-up from Citizen Lab, a cybersecurity threat tracking group that helped the investigation.
The company is asking for an injunction to stop NSO from violating its terms of service. It’s also calling on other tech firms to endorse a moratorium on selling spyware proposed by U.N. Special Rapporteur David Kaye.
Spyware companies say their tools are designed for government and law enforcement customers to conduct legitimate surveillance operations aimed at combating terrorism, organized crime and drug trafficking. Critics, however, say the companies turn a blind eye when governments and police use the tools to spy on activists and journalists.
An NSO tool called Pegasus was allegedly used to spy on Washington Post contributing writer Jamal Khashoggi before he was killed last year by people affiliated with Saudi Arabia’s security services. “A friend of Khashoggi, Omar Abdulaziz, has alleged in a lawsuit that his phone was infected with Pegasus without his knowledge and that the malicious software helped the Saudis snoop on Khashoggi,” as my colleagues Craig Timberg and Jay Greene report.
A crux of Facebook’s lawsuit is that NSO actually helped conduct some of the hacking operations rather than simply selling its tools to governments that used them. Specifically, “the attackers used servers and Internet-hosting services that were previously associated with NSO,” Cathcart said, and the company “tied certain WhatsApp accounts used during the attacks back to NSO.”
That distinguishes this from a 2015 case where an unnamed company sold the FBI a hacking tool to bypass encryption on a locked iPhone used by San Bernardino shooter Syed Farook. In that case, Apple urged the FBI to share the hack but never filed a lawsuit.
NSO disputed any direct involvement in its clients' hacking along with other Facebook claims.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” the company said in a statement. “Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
This is NSO Group's response to the lawsuit: pic.twitter.com/MCxAGxyZ4J— Catalin Cimpanu (@campuscodi) October 29, 2019
Anti-surveillance and human rights groups were quick to applaud the lawsuit.
Amnesty International called on nations to revoke NSO’s export licenses.
Access Now called on Israel and the United Kingdom, where NSO parent Novalpina is based, to “take immediate action to forestall more violations.”
Here’s the group’s Executive Director Brett Solomon:
That was echoed by former European Parliament member Marietje Schaake, president of the Cyber Peace Institute launched by Microsoft and other tech companies.
Fascinating! WhatsApp/Facebook attributes attacks of human rights defenders to NSO Group’s surveillance tech, and sues. Great work by @citizenlab that helped expose threats to vulnerable communities. Hope European politicians will move on leading with laws to stop these products https://t.co/ZDt6fzeJHi— Marietje Schaake (@MarietjeSchaake) October 29, 2019
Cybersecurity experts also pounced on the suit. Here's Eva Galperin, cyberscurity director at the Electronic Frontier Foundation:
For a company that claims to care so much about human rights, NSO Group's products sure do keep getting used to target human rights defenders.— Eva (@evacide) October 29, 2019
And a longtime security researcher who goes by the handle The Grugq:
1400 attacks. “at least 100 ‘not obviously criminals’.” That means Facebook just blew 1300 counter terrorism and criminal investigations? Is that right? Cause that seems to be incredibly irresponsible. https://t.co/IK5kEsirQx— thaddeus e. grugq (@thegrugq) October 30, 2019
PINGED, PATCHED, PWNED
PINGED: Six months after the Mueller report revealed that at least one Florida county election system was penetrated by Russian hackers before the 2016 contest, a top election official says the state is ready for any cyberattacks that 2020 might bring, Bobby Caina Calavan at the Associated Press reports.
Florida Secretary of State Laurel Lee declined to provide substantial details, though, from a review of the systems mandated earlier this year by Gov. Ron DeSantis (R.). During a news conference she said only that her office is working “to address any weaknesses or vulnerabilities that have been identified in advance of the 2020 election cycle.”
The state is providing more than $15 million in grants to local jurisdictions to beef up election security and will install a $2 million network monitoring system, Bobby reported.
Lee acknowledged security hawks will still keep their eyes on Florida, a key swing state with a history fo election probelms. “I know Florida will be under great scrutiny when it comes to elections and elections security,” she said.
PATCHED: Ethical hackers gave D.C. lawmakers a firsthand lesson yesterday in how Russia and other adversaries could hack voting machines in 2020, Derek B. Johnson at Federal Computer Week reports. This is the second time this year that researchers connected with the Def Con cybersecurity conference's Voting Village have demonstrated for lawmakers a slew of hackable vulnerabilities they say could undermine the 2020 contest.
Rep. Cedric Richmond (D-La.), who chairs the House Homeland Security Committee's cybersecurity panel, told Derek he hopes the demonstrations will encourage voting machine vendors to fix vulnerabilities. “Sometimes if you can't get the legislation done, either holding the vendors accountable or creating potential exposure or liability for them is another way to motivate them,” he said.
House Homeland Security Chairman Rep. Bennie Thompson (D-Miss.) slammed Republican lawmakers for skipping the event. “It's all for naught if our colleagues on the other side choose to do nothing,” he said.
The committee intends to hold hearings with voting machine vendors before 2020, Thompson said.
PWNED: Google, Cloudflare and 13 other tech companies are pledging this morning to expand how they hire cybersecurity workers, including recruiting beyond four-year colleges, getting rid of certain job descriptions and developing clearer career paths in the field. The initiative comes from the Aspen Cybersecurity group, which says a growing shortage of cybersecurity workers in the United States could put the country at risk of major attacks.
There will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021, according to a 2018 report from the group.
“It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers,” John Carlin, chair of the Cyber & Technology Program at the Aspen Institute, wrote in a blog post.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The Judiciary Committee’s subcommittee on crime and terrorism will host a hearing entitled “How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors on Tuesday at 2:30 p.m. EST.