
WhatsApp sues NSO Group for allegedly helping spies hack phones around the world - adventured
https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup/whatsapp-sues-israels-nso-for-allegedly-helping-spies-hack-phones-around-the-world-idUSKBN1X82BE
======
walrus01
"The Canadian researchers who reported that Israeli software was used to spy
on Washington Post journalist Jamal Khashoggi's inner circle before his
gruesome death are being targeted in turn by international undercover
operatives, The Associated Press has found."

[https://www.cbc.ca/news/technology/citizen-lab-toronto-
under...](https://www.cbc.ca/news/technology/citizen-lab-toronto-undercover-
israeli-software-1.4994068)

~~~
matheusmoreira
> The truth is that strongly encrypted platforms are often used by _pedophile
> rings, drug kingpins, and terrorists_ to shield their criminal activity.

> Without sophisticated technologies, the law enforcement agencies meant to
> keep us all safe face insurmountable hurdles.

> NSO's technologies provide proportionate, lawful solutions to this issue.

Funny how the same technologies meant to protect children are also being used
to intimidate researchers and kill dissidents and journalists. Nobody could
possibly have foreseen this!

~~~
dandare
Let's not forget, totalitarian governments are way, way more dangerous for its
citizens than any kind of criminals.

~~~
AJ007
This should be upvoted. While the net deaths from murders, drug overdoses, and
manslaughter of various cases might be a really high number, they are not even
close to what a single government can do in a year or a nuclear-armed
government can do in a few minutes.

In regards to the whole NSO thing, I’m completely baffled how their principals
and employees are not on a sanctions list and don’t have arrest warrants out
for them. Consider how much trouble non-malicious hackers have gotten in for
pointing out security holes publicly. What we have here is a company actively
conducting espionage against some of the most valuable public companies in the
United States. Even more egregious, they are targeting those companies’
customers, illegally.

~~~
CapricornNoble
>>>In regards to the whole NSO thing, I’m completely baffled how their
principals and employees are not on a sanctions list and don’t have arrest
warrants out for them.

Lemme see if I can communicate this without committing karmic suicide like the
other responder.... putting an Israeli cybersecurity firm on a sanctions list,
or issuing arrest warrants, is simply a political non-starter in the US. It
would be career suicide for _most_ Congresspeople to take such a position.

------
comex
Link to the actual complaint (PDF):

[https://assets.documentcloud.org/documents/6532395/WhatsApp-...](https://assets.documentcloud.org/documents/6532395/WhatsApp-
complaint.pdf)

Always annoys me when news reports leave that out.

Edit: IANAL, but quick take: WhatsApp might succeed, but their case would be
much stronger if they had one or more of the victims as co-plaintiffs. As it
is:

\- Their CFAA claim can only cover unauthorized access to WhatsApp’s servers –
but NSO didn’t hack those servers; the servers just fulfilled their normal job
of acting as a relay for WhatsApp messages, except in this case the messages
were designed to exploit other clients. A victim would be able to sue over
unauthorized access to their phone itself. (WhatsApp does also have the terms-
of-service complaint though.)

\- WhatsApp can only seek damages for reputational harm the hacks caused to
the company itself - not any kind of harm to the victims. However, they’re
also seeking an injunction preventing NSO from continuing to exploit WhatsApp,
which might be more interesting than damages if they can get it.

~~~
sterlind
_> Their CFAA claim can only cover unauthorized access to WhatsApp’s servers –
but NSO didn’t hack those servers; the servers just fulfilled their normal job
of acting as a relay for WhatsApp messages,_

By that logic a website provider wouldn't have standing if they suffered an
XSS attack (though any affected users would), which is interesting.

IANAL, but it looks like the CFAA defines offenses in terms of the "protected
computer" that was accessed - for instance, unauthorized access to that
computer, or stealing information from that computer, or damages that
computer.

That seems weird, but the alternative would be weirder: if every computer in
the chain were a violation, the ISP for each hop of the network connection
would have standing together. It's hard to make a case that WhatsApp is
different from a regular router which might also pass malicious messages.

~~~
meowface
That's debatable. Also, it depends if it's persistent, reflected, or DOM-based
XSS. Persistent XSS would be more likely to be considered an attack against
the server/application, though I could see the counterargument as well.
Reflected could go either way, and DOM-based would be the least likely to be
considered a server attack.

------
nostromo
This is the same company (NSO) that helped the Saudis brutally murder and
dismember a journalist.

[https://www.nytimes.com/2018/12/02/world/middleeast/saudi-
kh...](https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-
spyware-israel.html)

~~~
gnode
I find it interesting that NSO, an Israeli surveillance technology company,
was allowed to have such dealings with Saudi Arabia. Their statement that "the
sole purpose of NSO is to provide technology to licensed government
intelligence and law enforcement agencies [...]" implies that their technology
is subject to export controls.

My understanding is that Saudi Arabia has poor diplomatic relations with
Israel.

~~~
nradov
It's complicated. Officially Saudi Arabia has no diplomatic relations with
Israel and considers them as illegal occupiers in Palestine. But that's just
for PR purposes in the Arab Muslim world. However behind the scenes they
frequently cooperate and share intelligence on matters of mutual interest.

~~~
Scoundreller
Thank you for bringing this up.

It reminds me of Canadian telecoms. While they officially compete to extract
more cash from customers, they’ll also call each other up and share
infrastructure instead of duplicating builds.

E.g. Telus built towers in its territory, and Bell did in its, and they just
share them. Much cheaper than redundant builds and customers usually won’t
notice when everyone in the car loses reception at the same time.

Then there’s the stuff that they just do through signalling. Huh, our
“competitor” is going to start charging for incoming SMS _and_ the billing
vendor that we all use just rolled it out as a new feature. Great!

------
____a
An incredible quote: "Defendants subsequently complained that WhatsApp had
closed the vulnerability. Specifically, NSO Employee 1 stated, “You just
closed our biggest remote for cellular ... It’s on the news all over the
world.”"

~~~
chmod775
What are you quoting? That sentence doesn't appear in the article.

~~~
tptacek
They're quoting the actual civil complaint.

------
jrochkind1
Sued them under what law/legal theory?

Wait... is it CFAA? That would be... an interesting door to open!

Found the complaint, yep!

> Plaintiffs bring this action for injunctive relief and damages pursuant to
> the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the California
> Comprehensive Computer Data Access and Fraud Act, California Penal Code §
> 502, and for breach of contract and trespass to chattels.

I like the idea of using the CFAA like this, of that becoming a thing.

Had to find the complaint cause none of the articles I could find on it
mentioned the CFAA, which is weird since that's news.

~~~
tptacek
Civil CFAA (unauthorized access to WhatsApp infrastructure, including their
relay servers, to target WhatsApp users), California's Computer Data Access &
Fraud act (same, but CCDAF also has kickers like specific liability for
spreading malware), breach (WhatsApp has a EULA), and trespass to chattels.

 _(sorry, wrote this before you fleshed out your comment, but presumably it 's
helpful to someone else)_

------
inglor
My wife works for NSO, Facebook closed down the personal accounts of anyone
working for NSO which is quite the aggressive move. I definitely see things
warming up.

~~~
JumpCrisscross
> _Facebook closed down the personal accounts of anyone working for NSO which
> is quite the aggressive move_

I’m sure your wife is a lovely lady. But NSO Group is a hostile intelligence
asset. They actively undermine Americans and American security interests, here
and abroad.

It’s not only reasonable for American companies to block them and their
affiliates, it would also be reasonable for their travel to the country to be
restricted (or monitored in the way a known spy would be).

~~~
rndgermandude
>I’m sure your wife is a lovely lady.

I am not so sure. People who knowingly work for organizations that help plots
to torture, murder and dismember journalists are not "lovely". She might not
have known about it before, but she does now, and yet she still works for
them.

~~~
mattzzz
Banks did a lot of money laundering for drug dealers, terrorists, etc before
(maybe they're still doing it today) but that doesn't mean all those working
at banks are bad.

~~~
onetimemanytime
If a bank was created with that purpose in mind I guess it's bad. NSO was
created to hack people's phones. I guess there's a legit use, but then, maybe
they got greedy and sold to governments that define "crime" and "terrorism"
quite a bit different from us.

------
pesenti
WaPo Oped [https://www.washingtonpost.com/opinions/2019/10/29/why-
whats...](https://www.washingtonpost.com/opinions/2019/10/29/why-whatsapp-is-
pushing-back-nso-group-hacking/)

~~~
teh_klev
Paywall.

~~~
tedivm
Just open it in incognito mode to bypass the paywall.

~~~
eli
Or pay for it

~~~
tyingq
That doesn't scale terribly well for urls shared in a public space. How many
subscriptions do I need? WaPo, NYT, Guardian, Financial Times, Medium, Boston
Globe, LA Times, Scientific American, GQ, Epicurios, etc. Those folks should
get together and offer a shared subscription model.

~~~
eli
The economics have never really worked for a shared subscription model despite
many attempts. Apple News+ is the most recent example.

So, yeah, if you regularly read more than the free allocation for each of
those publications in a month, you should consider paying for them. Which ones
you "need" is your call.

~~~
tyingq
I get that it's maybe unsolvable. But in the narrow space of sharing urls on
HN, downvoting complaints about paywalls feels silly to me.

They made their own bed, they can lie in it. I actively work around paywalls,
and have ZERO guilt about it. Your business model failed, and I give zero
shits. I want to know what's happening, and am willing to pay $10/month to to
fix that across ALL of you that were affected. If you can't solve it entirely,
I don't care. Take my $10/month, split it, and shut up or quit bitching.

~~~
tyingq
I'm skeptical it would get noticed, but the kind of submission I want to
happen:
[https://news.ycombinator.com/item?id=21393799](https://news.ycombinator.com/item?id=21393799)

------
ENOTTY
It's interesting that WhatsApp is suing NSO for CFAA violations under the
theory that NSO violated WhatsApp's T&C (paragraph 54). This is the same
theory that organizations like the EFF believe is too vague and gives too much
freedom to prosecutors to bring criminal charges against people. So I'm
curious how the EFF will react to this.

------
Jerry2
Where's the DoJ in all of this? Why aren't they filing criminal charges
against the NSO?

~~~
AndrewBissell
Probably for the same reason the Trump admin whitewashed the Khashoggi murder.

------
MikeGale
The architecture of the system is important here too.

1\. Do the regimes buy the software and set it up themselves, or does NSO set
it up and they use the service provided?

2\. If the former is there a route to go for Saudi, Mexican, UAE, Bahraini...
governments?

\---

~~~
tptacek
You are explicitly (and, if you read Dan's moderator comments, _repeatedly_ )
asked not to conduct public hunts for astroturf comments on HN threads. If you
think you've seen a pattern of corrupt comments, tell hn@ycombinator.com
directly.

~~~
MikeGale
Thanks, I haven't noticed any of those comments. I'll mull that over.

~~~
dang
Appreciated! It's a big deal, which is why I've posted so much about it:

[https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDat...](https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDate&dateRange=all&type=comment&storyText=false&prefix=true&page=0)

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
DSingularity
Lol nice. The lawsuit is requesting as relief a permanent injunction Against
NEO barring them from using Facebook and WhatsApp for any reason.

------
lawnchair_larry
I don’t like NSO or what they do, but I don’t think I’m comfortable with the
idea that there is legal liability here.

I wonder how much of that hinges on the fact that the messages had to transit
WhatsApp servers, even if they didn’t actually hack any WhatsApp
infrastructure.

By that same logic, it seems like an SMS exploit targeting a handset could
make you liable to AT&T as well.

~~~
qtplatypus
I am not sure that I am uncomfortable with that. If you are using AT&T's
network to commit abuse then you are disrupting the usefulness of that
network. I think that the equivalent would be if you committed fraud using the
postal system the postal service being able to take legal action against you.

~~~
mcny
I'm very uncomfortable with the criminal aspects of cfaa (US government vs Joe
Small Man) but I think I'm ok with civil cases as long as we agree that we are
not into boats.

~~~
qtplatypus
True. Though I can see some situations where the criminal aspects would be
acceptable. Such as a case where hacking was the proximate cause of
catastrophic harm (like a criminal using an insecure industrial control system
to crash a power grid).

I am almost willing to support criminal aspects in this case. Extrajudicial
killing was a predictable result in giving these tools to repressive
governments.

------
HashThis
They better win. But they probably won't. I love that finally the victim has
the ability to use courts across countries.

~~~
lawnchair_larry
I _really_ hope they lose. If they win, WhatsApp (and by precedent, everyone
else) is less incentivized to invest in technical solutions, and exploits will
still be bought and sold among even shadier players.

Take the Saudis for example. They have a desire to hack phones, an unlimited
budget for hacking tools, and no ethics. The market _will_ create other
players to capture the millions of dollars they have on the table, and they’ll
do it out of reach of the courts.

WhatsApp is facing brand damage because people are hearing that they can get
hacked (and in some cases, possibly die) if they use their software. Their two
options are to either invest in better security, or use the legal system. I
think it’s better for everyone if the only option is for companies to actually
fix their software.

If WhatsApp paid whatever NSO does to acquire bugs, nobody would sell to NSO.

This is the same reason that Apple recently increased their bounty. Nobody was
giving bugs to Apple because the grey market paid more.

~~~
Rarebox
WhatsApp would still be plenty incentivized to make their software secure.
They understand that this wouldn't get rid of the exploit market, or state
actors. I'm sure WhatsApp has been focusing a lot on security lately because
of the brand damage.

Even if it wasn't effective in practice, entering this lawsuit can be seen as
a message to users that WhatsApp is serious about protecting people's privacy.

Setting a precedent here might force remaining actors to stay shady instead of
acting in the open, which would make it harder for them to operate (so they'd
be less effective).

However, I have no idea what other consequences a precedent here might have.
Definitely interesting.

------
chriselles
I’m wondering if this is the specific reason(or one of the reasons) why
serving 5 Eyes military folks I know all seemed to ditch WhatsApp approx 20
months ago.

------
ur-whale
Not everything FB does is evil then ... unless it's a PR stunt, of course.

------
s_dev
If WhatsApp is end to end encrypted then how can spies can access messages?

~~~
Medicalidiot
I'm assuming gaining access to the phone itself. This is probably and exploit
via the WhatsAPP app that allows privilege escalation of some type.

Note: I'm in the medical field and this is not my expertise.

~~~
s_dev
So Facebook are suing NSO for having hacked Apples or Googles software?

My point is once end to end encryption is enabled -- no MITM vulnearabilities
should exist. Kind of like how password managers protect your password -- not
even they can see it.

I think this is indicative that Facebook doesn't enable true end to end
encryption so they can read messages themselves but advertise that they don't
to attract the privacy dollar.

~~~
joewee
You misunderstand how end to end encryption works and what the vulnerabilities
were. These are not MITM attacks. I suggest you read the article or the
affidavit, they do a good job explaining what happened.

------
rolltiide
Cooley really making a name for themselves out here

------
ahbyb
I wonder if this will create a precedent?

------
____a
I saw this article earlier wanted to read comments on it here. It had already
been posted five or six times, but never made it to the front page. Glad it
finally did as it should. But what a weird dynamic.

~~~
jb_s
is there a HN discord or something?

~~~
0xADEADBEE
There's a semi-secret, invite-only, HN Slack channel.

[Edit: I don't think I mean channel but the terminology for what I'm saying
eludes me]

~~~
mike_d
...so how do I get an invite?

------
anon007
Why is the moderator censoring "Israel" out of the title of the original
article?

"WhatsApp sues Israel's NSO for allegedly helping spies hack phones around the
world"

~~~
enjoyyourlife
Because it's a company, not a country. It's like referring to Google as
"America's Google."

Also, the article has nothing to do with Israel besides the company being
located there. Don't try to politicize everything.

~~~
tyingq
It does take a lot of context out. I know what Google is. No idea what "NSO"
is.

~~~
Buge
On the other hand, "Israel's" makes it sound like it's a governmental
intelligence agency rather than a company. Misleading context could be worse
than no context.

~~~
tyingq
Sure... I'm no expert. But "NSO" is CLEARLY not enough context for
readers...full stop.

~~~
dang
On HN, there's no need for every title to explain itself fully, especially
when it's trivial to find out the missing information. It's good for readers
here to have to work a little:
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22work%20a%20little%22&sort=byDate&type=comment)

Also, many readers have followed this story and know what NSO is. There's no
title that fits the bill for everyone.

~~~
tyingq
I respectfully disagree. A three letter acronym implies shared understanding.
NSA, CIA, GHQ, MI6, KGB, IBM, AMZ, USA, etc, are globally recongized. NSO is
ambiguous and confusing in a headline and demands explanation.

Google tells me that "NSO" is "Nurse Malpractice" for the entire first page
fold. I assume it's similarly unhelpful in other regions for other people.
'Cmon, it's not a big, recognized, entity. Wait a year and the problem will be
even more apperent.

~~~
Buge
There have been a number of posts about NSO on HN, and most of them do not say
Israel in the title. But most of them do say "NSO Group" instead of "NSO", so
maybe this title should have said that too. Although you might blame that on
Reuters as well for not having "Group" in their title when that is actually in
the name of the company.

[https://hn.algolia.com/?dateRange=all&prefix=true&query=NSO&...](https://hn.algolia.com/?dateRange=all&prefix=true&query=NSO&sort=byPopularity&type=story)

~~~
tyingq
Good point. "NSO Group" would have helped me a lot, and avoids the immediate
political innuendo. @dang: An obvious compromise.

~~~
dang
Ok, we can do that.

------
kd3
Woooow. Im almost speechless. Unprecedented indeed. I never would have
expected this from zuckerberg.

------
londons_explore
Whatsapp _still_ processes complex data from any stranger in the world
entirely without a sandbox. It's E2E encryption is like sending and receiving
messages with a top security truck, but then on arrival, storing them in a
tent.

The fault here really relies on the design of whatsapp. Not the thieves who
saw an open door.

~~~
saagarjha
What kind of sandbox should WhatsApp have used?

~~~
olliej
A magic one that fixes all security holes of course :)

More seriously: I thought they popped WhatsApp on iOS as well? That would
imply sandbox escape there as well - although the default iOS sandbox is more
a quarry :)

~~~
tedunangst
Rooting an iphone is certainly useful, but just having access to all of a
target's WhatsApp messages would also be very interesting to NSO's customers.
Further, WhatsApp likely has permission to access photos, etc.

------
einpoklum
Hmph... pot calling the kettle black.

Facebook (which owns WhatsApp) engages in mass surveillance / info gathering /
spying on its users. It does so on behalf of its paying clients (= not the
users); and also on behalf of the US government: The NSA gets a copy of most
of everything (as we know due following Snowden's revelations).

So, Facebook definitely intrudes on people privacy, even if it doesn't "hack
phones".

Still, I wish _both_ companies had to face harsh consequences for their
conduct.

~~~
tw04
Facebook has been selling information about journalists to governments who
intend to assassinate said journalists? Do you have a source for that claim?

Otherwise equating the two is ridiculous.

~~~
einpoklum
Facebook has been giving out information for free, about all people, including
anyone the US intends to assassinate, to the US government.

Whether the US government was actually intending to assassinate any of
Facebook's users - I have no idea; I don't have access to the assassination
lists the president signs.

