
NSO hacked WhatsApp to spy on top government officials at U.S. allies - lladnar
https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/exclusive-whatsapp-hacked-to-spy-on-top-government-officials-at-u-s-allies-sources-idUSKBN1XA27H
======
milofeynman
The article doesn't really say what hackers had access to, but it sounds like
they had full control over their phones. There is a lot bigger story here and
I'd love to read a post-mortem in a few months.

Also, WhatsApp is such an obvious target for a state actor. I saw several
articles of the last year that mentioned Jared Kushner using Whatsapp so I
assume a lot of government folks use it for off the books "encrypted"
communication.

~~~
vocatus_gate
A buddy of mine is Special Forces (U.S.). He said JSOC recently banned use of
WhatsApp and encouraged everyone to switch to the open-source Signal (another
encrypted messaging app). Allegedly WhatsApp uses Signal's encryption
(OpenWhisper) but I stopped trusting it the second Facebook bought them out.

~~~
dan-robertson
If one assumes that WhatsApp are implementing the protocol as well as signal
are (which I do), then I think there are three questions in deciding what is
more secure:

1\. Do you trust Facebook (or open whisper systems) with your metadata/expect
them to delete it?

2\. How likely are there to be bugs (in the app, not in the protocol itself)
which lead to exploits. On the one hand WhatsApp probably have more people
working on the app and likely more security people too. On the other hand they
may be pushed to add more features and having lots of code churn may introduce
security holes.

3\. How much work will be put into exploiting each app. On the one hand more
people use WhatsApp but on the other, I guess security conscious people may be
more likely to use signal.

A known exploit to WhatsApp happened due to 2 with a bug in how audio calls
were initiated. I don’t really have a good guess as to how the apps compare on
points 2 and 3 but I guess WhatsApp loses on 1. A more practical point is that
it’s likely easier to convince someone to use WhatsApp than signal, especially
for group chat.

~~~
lostcolony
'On the one hand WhatsApp probably have more people working on the app'

From a career in software development, I tend to feel that the more devs, the
buggier. Maybe, MAYBE (number of QA)/(number of devs) = reliability
coefficient.

~~~
carlmr
Correlates with my experience, too, however size of the QA team is not a
reliable indicator. I've seen it first hand where the QA is huge, but doesn't
have good devs, only people that point out process flaws.

~~~
wolco
A QA team is trying to find bugs with the current release. They are not
looking for mitm attacks or misuse. That would be more security who are
generally looking for more obvious issues at the network level.

------
_trampeltier
"Prior to notifying victims, WhatsApp checked the target list against existing
law enforcement requests for information relating to criminal investigations,
such as terrorism or child exploitation cases. But the company found no
overlap, said a person familiar with the matter. Governments can submit such
requests for information to WhatsApp through an online portal the company
maintains."

There is already an official backdoor, or how should I understand that?

~~~
sandworm101
You have it correct. Nearly every major US provider maintains some sort of
online interface for law enforcement to submit requests. The level of
information provided via these means varies, but they are obligated to respond
to legitimate requests with wharever data they have on hand.

Dont like it? Go with a security-minded service like signal. Or, better yet,
something totally severless and open source.

~~~
_trampeltier
I don't use WhatsApp. But if they have an official backdoor, then it's not
really e2e encrypted. Until now I thought, at least the official statement
was, WhatsApp is truly e2e encrypted. Just that.

~~~
sandworm101
Maybe they are. But they would still have non-content timing, location and
connection data. That is just as useful as message content.

------
denzil_correa
> Sources familiar with WhatsApp’s internal investigation into the breach said
> a “significant” portion of the known victims are high-profile government and
> military officials spread across at least 20 countries on five continents.

Welp!

~~~
3pt14159
I know a military contractor working on stuff for non-Nato airforces. These
guys use WattsApp for everything. It blew my mind.

~~~
inglor
Fun fact, a few of my friends and even family work for NSO and until recently
they used WhatsApp for their own internal communication.

They literally moved off it a few days ago when shit hit the fan into more
secure software because Facebook is targeting NSO employees.

~~~
faizshah
Specifically what more secure software? Im looking for a secure messenger now.

~~~
Permagate
Signal is usually one of the more popular one for a more secure alternative.

------
d47gktid
This seems like a disinformation campaign aimed at diverting attention from
the fact that the governments of the human rights activists, human rights
lawyers themselves used pegasus from NSO to target them.

Many of the Indian activists, journalists, lawyers who were targeted are
working for low caste victims of false cases filed against them. John from
Citizen Lab personally called them and told 'Your government attacked you'[0].

If anyone from Citizen Lab/WhatsApp is reading this, please corroborate with
evidence that the governments themselves spied on its citizens when these
activists sue them in court.

[0]: [https://scroll.in/latest/942218/nagpur-lawyer-notified-by-
wh...](https://scroll.in/latest/942218/nagpur-lawyer-notified-by-whatsapp-of-
surveillance-says-bhima-koregaon-accused-were-also-targetted)

~~~
qtplatypus
How is this disinformation? The story says that NSO was used to target human
rights advocates.

------
inglor
Don't forget that some disgruntled employee stole the software a few years
ago. So who knows who has access to this.

[https://m.calcalist.co.il/Article.aspx?guid=3741738](https://m.calcalist.co.il/Article.aspx?guid=3741738)

~~~
heyoni
That website made my screen go black and my phone get hot!

~~~
LilBytes
That wasn't just me!?

------
blotter_paper
Which is hilarious and hypocritical, since the government keeps talking about
making end-to-end encryption apps illegal to distribute without backdoors. Now
they're using an encryption app with a backdoor,* and they're upset about it?
I thought this is what they wanted!

*I know, I know, this probably wasn't done with a backdoor -- it's just funnier to lie in this context.

~~~
fouric
Hypocritical? How many of your personal secrets (or even your corporate
secrets) would cause >= thousands of people to die or >= billions of taxpayer
dollars to be lost if they were leaked?

~~~
fmihaila
> How many of your _personal_ secrets (or even your corporate secrets) would
> cause >= thousands of people to die or >= billions of taxpayer dollars to be
> lost if they were leaked?

Personal means, and should continue to mean, something. I'm not willing to let
governments define what is personal to me.

------
e12e
Citizen labs write-up: [https://citizenlab.ca/2019/10/nso-q-cyber-
technologies-100-n...](https://citizenlab.ca/2019/10/nso-q-cyber-
technologies-100-new-abuse-cases/)

------
chadlavi
No one who wants to talk securely should ever use a facebook-owned channel in
the first place.

~~~
gpm
It depends who your adversaries are.

It's one thing to say "they shouldn't use a facebook channel to talk
securely", it's another to say "they shouldn't use a facebook channel on the
same device as they use another channel to talk securely". My understanding of
this was that it is the latter.

Unfortunately people often don't have the luxury of doing the latter.

~~~
dotancohen

      > Unfortunately people often don't have the luxury of doing the latter.
    

What? Just don't install the Facebook or other social apps. I do have
Telegram, but no other social media apps on my phone. If you need to
communicate, then SMS / MMS / telephone is fine. What can be done with
Facebook that cannot be done with normal SMS or MMS or phone calls or video
calls?

~~~
gpm
I also don't have any facebook apps on my phone - but from what I understand
there are countries where whatsapp is how a lot of business is done. If you
can't afford the time and opportunity cost of avoiding those businesses you
have to install it.

~~~
dotancohen
I actually do live in a country where people expect you to have Whatsapp, both
for personal and for business. And I still don't install it.

------
lewiscollard
The bad guys will find out first.

Back when I first heard that, the bad guys were bored and/or hyperactive
teenagers who understood how computers work. Today we are talking nation-state
actors and nation-state-sponsored actors with practically unlimited resources.

Keeping your code secret will not stop them, cf. WhatsApp. "Responsible
disclosure" will not stop them either, and sets up all the wrong kinds of
incentives for vendors to sit on problems until just before the "responsible"
disclosure window closes. And FFS, there are still grown adults that believe
building backdoors into E2E won't be exploited by the bad guys first, insofar
as they are not the bad guys themselves.

I only have questions, not answers, and I don't know what we do from here.

~~~
nullandvoid
We have to make this knowledge of closed source systems not being safe more
wide spread more approachable to the lamen.

It will take time but generations are slowly waking up to the bullshit. We
need to be able to run open source code on servers in a transparent and
reportable way that everyone can understand

I see services like whatsapp taking the stance it is essential. Its the only
place I (barely) feel like I can speak my mind when chatting with non tech
savvy friends (of which it would be a hard sell to get to install anything
else more rock solid). I really hope we can adopt widespread e2e encrypted
chat platforms moving forward and dont regress in this front else it will be a
sad future

------
tomcooks
Use Matrix (Riot.im is a great client)

Or Signal, but without the phone number signup

~~~
jokoon
How do you sign up without a phone number?

------
rattray
The article claims that "a flaw in WhatsApp-owned servers" was used to "take
over users’ phones".

This seems to imply that the hackers were able to escape from the WhatsApp
mobile app to perform other actions on the phones.

How would this be possible?

Or is this just likely careless journalism, and the exploit was that the
server breach allowed the attackers to exfiltrate WhatsApp data only?

~~~
roywiggins
The article says: "The Facebook-owned software giant alleges that NSO Group
built and sold a hacking platform that exploited a flaw in WhatsApp-owned
servers to help clients hack into the cellphones of at least 1,400 users."

The actual complaint reads: "Between in and around April 2019 and May 2019,
Defendants used WhatsApp servers, located in the United States and elsewhere,
to send malware to approximately 1,400 mobile phones and devices (“Target
Devices”). Defendants’ malware was designed to infect the Target Devices for
the purpose of conducting surveillance of specific WhatsApp users (“Target
Users”). Unable to break WhatsApp’s end-to-end encryption, Defendants
developed their malware in order to access messages and other communications
after they were decrypted on Target Devices. Defendants’ actions were not
authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service.
In May 2019, Plaintiffs detected and stopped Defendants’ unauthorized access
and abuse of the WhatsApp Service and computers."

[https://context-
cdn.washingtonpost.com/notes/prod/default/do...](https://context-
cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-
aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf)

In other words: WhatsApp does not allege a server breach. It alleges that
phones were hacked via carefully crafted messages to trigger an exploit[1] on
the phones, but to do that, hackers sent the messages via WhatsApp servers.
They mention that, because otherwise they would have less of an argument to
sue over. As far as I can tell, they're alleging that NSO Group was part of a
scheme to interfere with the WhatsApp relay servers and to break the TOS,
stated several different ways under different theories and laws.

[1] this one
[https://nvd.nist.gov/vuln/detail/CVE-2019-3568](https://nvd.nist.gov/vuln/detail/CVE-2019-3568)

~~~
hughw
To prove NSO used WhatsApp servers, I suppose WA will have to present
inferences from metadata it recorded and saved. So WA will be required to
demonstrate how much can yet be learned about its users by passing
communications through its servers.

------
TaylorAlexander
“WhatsApp did not identify the clients of NSO Group, who ultimately chose the
targets.”

------
beentheretwice
Thats really funny because a friend of mine used to work there and always
talked about how all the internal very classified communication was done via
whatsapp!

------
kraf
What's the deal with the end-to-end encryption here, I don't understand. If
you get control over the server, you can circumvent it with WhatsApp? How did
the attackers get hold of the private keys?

~~~
iicc
[https://news.ycombinator.com/item?id=21411312#21413086](https://news.ycombinator.com/item?id=21411312#21413086)

------
swiley
I’m shocked! I would have never expected this! Having a single organization so
specialized in the particular domain handling nearly _everyone’s_ data getting
hacked? How ridiculous!

Apple have single handedly done the internet a gross disservice by not making
it easy for users to set up webhooks for push notifications. If it weren’t for
that chat would have a chance at being sane.

------
misiti3780
How people go to work at NSO Group, is beyond me. They must pay really well.

------
laegooose
I hate facebook just like everyone else, but doesn't it have more resources to
spend on WhatsApp security than Signal Foundation? Yes, Signal is open-source,
but how many people are actually looking for its vulnerabilities full-time?

~~~
callalex
Just because Facebook can doesn’t mean they will. Justifying security research
budgets is notoriously difficult in the corporate world.

------
inglor
I am just confused that NSO are getting all the flak for this when there are
many bigger players in the market (like Verint) peacefully happily doing the
same thing for years.

Of course, I don't think this particular report is correct (I am sure the US
spies on its allies like all big countries but I doubt it would need NSO and
given the US regulates the body that regulates who NSO is allowed to sell to -
I doubt it)

------
freeplay
But I thought WhatsApp was end-to-end encrypted?

~~~
mikece
If you want secure your top choices, in my opinion, are Signal and Wire -- and
I like Wire better because I can sign up with a burner account or seemingly
random alias on my ProtonMail account.

But don't just take my word for it -- here's a good place to start your own
research:
[https://www.securemessagingapps.com/](https://www.securemessagingapps.com/)

~~~
amai
Why is Wechat missing on that list?

~~~
csunbird
They do not offer e2e encryption and as we all know, China government does not
believe in privacy.

------
gesman
So i wonder about a ways of implementing secure communications using untrusted
device over untrusted channels.

~~~
inglor
You can just encrypt it before typing it down and send encrypted text so the
cleartext is never on the device. It's just not convenient at all though
theoretically this can be a separate device that is not connected to the
internet.

------
feelthepress
Earlier this month the DOJ asked Facebook to "halt end-to-end encryption" by
adding a backdoor to all of Facebook's apps. Perhaps this is a reason.

[https://www.engadget.com/2019/10/03/doj-facebook-end-to-
end-...](https://www.engadget.com/2019/10/03/doj-facebook-end-to-end-
encryption-whatsapp-instagram-messenger/)

~~~
RaiseProfits
Why would facebook comply?

~~~
tomcooks
Why wouldn't a company of that size comply?

~~~
RaiseProfits
It’s an unnecessary cost and hurts whatever brand value remains.

------
jonplackett
What are Israel doing to get so good at this and chip design and weapons
making and everything else they seem to be really good at?

There’s only about 8 million people in the whole country. There are plenty of
cities with more people than that.

How come they punch so far above their weight?

~~~
dependenttypes
I presume that most people will disagree with this but I believe that it is
related to Jewish people on average being generally smarter than a non-jewish
person. Consider for example:
[https://en.wikipedia.org/wiki/List_of_Jewish_Nobel_laureates](https://en.wikipedia.org/wiki/List_of_Jewish_Nobel_laureates)

> "Nobel Prizes[note 1] have been awarded to over 900 individuals,[1] of whom
> at least 20% were Jews, although the Jewish population comprises less than
> 0.2% of the world's population"

This is also true in my personal experience as well. A lot of my professors
had Jewish ancestry and are some of the smartest people that I know. A lot of
famous computer scientists have Jewish ancestry too (Sussman, Stallman, etc).

~~~
colordrops
Its a dangerous path - saying that one race is smarter directly implies that
another race is dumber. That sort of dialogue is completely taboo at least in
the US.

~~~
democracy
What about Obama's American exceptionalism speech? Seemed to be accepted fine.

~~~
markdown
Do you really not know the difference between nationality and race? There are
people of every race and creed in the US.

~~~
democracy
I do actually, but in this context it doesn't really matter. Does any - not
first generation immigrant - say I am 10% Irish, 10% Jewish from Russian
Empire, 50% Welsh and 30% Italian? Maybe some people do but in reality you say
you are an American. And for most of the world that's how it sounds anyway.

------
rapnie
Anybody using Oversec? I am not using it, but the concept sounds good.

> Oversec constantly monitors the text on your screen. When it finds an
> encrypted text, it tries to decrypt it and then shows the decrypted text as
> an overlay in place of the encrypted text.

> In order to encrypt a text, Oversec shows a button next to an active input
> field. After having entered the secret text, tapping that button makes
> Oversec read the text, encrypt it and put back the encrypted text into the
> field. It is now ready to be sent in the subjacent app as usual - the app
> doesn't even know that it is sending encrypted data!

[https://www.oversec.io/](https://www.oversec.io/)

Edit: Created a separate submission at
[https://news.ycombinator.com/item?id=21414464](https://news.ycombinator.com/item?id=21414464)

------
markus_zhang
Israel has some companies who are really good at this. I recall a story about
the Saudis purchasing service from some Israeli companies to spy on other's
cellphones.

~~~
mmanfrin
That was literally NSO. They were the company that gave the Saudi's access to
Jamal Khashoggi's phone.

------
cloudyo
Sometimes you just feel like using Signal instead

~~~
blotter_paper
I mean, Signal is open source and not owned by Facebook, so I'm not sure why
anybody uses WhatsApp instead.

~~~
shantly
Last I checked Signal's UX was worse enough that I'd be fighting a real uphill
battle to get my friend group to switch.

~~~
blotter_paper
That's reasonable, I suppose I'm lucky to have a friend group that universally
prefers open source sorftware to good UX -- there was never really a question
for us.

~~~
smeyer
It's a little eye opening to me that anyone could have a friend group that
"universally prefers open source software to good UX".

I have and use Signal with some friends, but there are also loads of people I
communicate with who couldn't even tell you what open source software is, let
alone articulate a preference for it over good UX.

Are all of your friends software engineers and/or technophiles?

~~~
lightedman
"It's a little eye opening to me that anyone could have a friend group that
"universally prefers open source software to good UX"

Plenty of us still prefer using command-line to this very day. Most of my work
is still done on DOS 6.22.

~~~
smeyer
I like the command line and it doesn't surprise me that other people do too.
What surprises me is that there are people where an entire friend group
universally prefers open source over good UX, since plenty of my friends
couldn't tell you what the terms "command line", "open source", and "UX" mean.

------
rshnotsecure
Dozens of tech companies around the world that were established in the last
4-5 years were done so entirely for the purpose of being fronts for spy
agencies to engage in the vast collection of data.

This extends also to shipping, licensing, and auditing companies.

One example is
[https://www.pacificbasin.com/en/fleet/fleet.php](https://www.pacificbasin.com/en/fleet/fleet.php)

Somehow they’ve managed to assemble the worlds 2nd largest cargo fleet in
terms of dry weight tonnage, all verifiable on
[https://marinetraffic.com](https://marinetraffic.com) btw, and yet they
appear on NO LISTING ANYWHERE for the top 100 cargo companies.

That company is a front for the Chinese military, because if you do a reverse
WHOIS search you will see [http://pacbasin.com](http://pacbasin.com) was also
registered by the same organization...it is an autonomous drone hardware and
extended flight operations firm. There is more to say there, but I will leave
it at that.

Other firms that have been espionage operations since day one, or were
acquired at some point and repurposed as spy outfits. This list includes both
Western and Eastern powers:

NSFOCUS Global

psychz.net

mimecast.com

terra.net

protonmail.com

creditkarma.com

ipvm.com

ClearDDOS

Neuvector

Multacom

HighWinds

Black Oak Computers

IT7 Networks

Ramnode

Gorilla Servers

Digital Core

InMotion Hosting

Choopa

LeaseWeb

StackPath

Voxility

Perfect International

~~~
opkr
The rise in shipping company fronts may potentially be attributed to miniature
nuclear weapons payloads within shipping containers for rapid and unstoppable
payload delivery at close proximity to enemy lines.

Btw intelligence agencies are using invisible image watermarking technologies
to track users.

~~~
rshnotsecure
Can we talk? One concern we had was that these cargo ships, some subset of the
220, have nuclear weapons onboard that the crew isn’t even aware of. Much like
how the soviets used to hide their ICBMs in train cars that move around, this
makes tracking these things really hard.

[email address redacted]

------
tareqak
[https://news.ycombinator.com/item?id=21411403](https://news.ycombinator.com/item?id=21411403)
is a later post, but uses the original title.

------
cloudyo
Welcome, Signal

~~~
otachack
Also Keybase And Telegram (need to enable e2e for a given conversation,
though)

------
eternalban
The name of the company is "NSO Group". NSO is too close to NSA.

Please correct it.

