Hacker News new | past | comments | ask | show | jobs | submit login
WhatsApp voice calls were used to inject spyware on phones (ft.com)
938 points by EwanToo 8 days ago | hide | past | web | favorite | 282 comments





Interesting!

Google's Project Zero team investigated WhatsApp's and Facetime's video conferencing last year:

"Overall, WhatsApp signalling seemed like a promising attack surface, but we did not find any vulnerabilities in it. There were two areas where we were able to extend the attack surface beyond what is used in the basic call flow. First, it was possible to send signalling messages that should only be sent after a call is answered before the call is answered, and they were processed by the receiving device. Second, it was possible for a peer to send voip_options JSON to another device. WhatsApp could reduce the attack surface of signalling by removing these capabilities."

"Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three CVEs in FaceTime based on this work."

WhatsApp: https://googleprojectzero.blogspot.com/2018/12/adventures-in...

Facetime: https://googleprojectzero.blogspot.com/2018/12/adventures-in...

In both cases, the close source nature of the applications stymied their efforts. Looks like NSO was willing to spend more time and resources!


NSO wasn't the group that did the WhatsApp hack. They are the software the hacker installs after they exploit has been found.

In both cases, the close source nature of the applications stymied their efforts.

Why do you say that? In the WhatsApp case, they were able to repeatedly modify the code and also yank it out and run it in their own controlled environment, etc.


From my experience, working with real source from the repo with comments etc is very different than working with reverse engineered binaries.

That's probably what they're referring to.


The post says "the close[d] source nature of the applications stymied their efforts" not "finding security bugs is harder than not-finding security bugs". I didn't read anything in the linked post that supports the former statement, the latter one (or variants) seems obvious.

I literally just attended Natalie Silvanovich's talk at Infiltrate. Very interesting work.

It's not just the NSO group. Hacking Team is not exactly shy about the services they offer.

https://en.wikipedia.org/wiki/Hacking_Team

FinFisher: https://en.wikipedia.org/wiki/FinFisher

MiniPanzer: https://en.wikipedia.org/wiki/MiniPanzer_and_MegaPanzer


Yeah, there's a cottage industry of security firms who sell exploits to the U.S. government directly or indirectly through big defense contractors. Many, and I personally have assumed _most_ (but without checking), are American firms.

And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.


>the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally

Absolutely. The Israeli Cybersecurity brand is built partially on such (sometimes unsubstantial) PR.

The bubble is doing well though! almost 500 startups, > 1Billion$ VC funding in 2018 alone. Devs are happy.


Curious as to why you think it's a bubble. Israeli startups have had many successful exits in recent years, although mostly acquisitions, and not many big flops.

It's just my unsubstantial opinion. Too many players raising too much money in a consolidated market. Bar some notable exceptions (NSO), this herd of misguided lemmings has one way out - acquisition by Checkpoint/Imperva/SalesForce.

But maybe I'm wrong and we'll see 100 Mobileyes in the coming decade.


At the risk of being pedantic- did you by chance mean "unsubstantiated"? :-)

unsubstantiated (adj)- not supported or proven by evidence.

unsubstantial (adj)- lacking material substance


Thanks. Your correction is welcome and not pedantic at all (it's rather substantial). More so as I've repeated this mistake twice.

> it's rather substantial

I see what you did there.


Oh, in case you meant infosec in particular, you might be right, I don't really know much about this industry.

Yes the numbers given above are just for the cyber sector.

Wow! I had no idea there was a whole industry selling spyware to dictatorships. Surveillance equipment, yes, but not actual hacking tools. Really sickening. Must be why governments in Europe are so afraid of Huawei building 5G networks - they will only run Chinese spyware.

Huawei's equipment will almost assuredly run anyone's spyware. Huawei uses a medley of ancient, highly vulnerable OpenSSL libraries sprinkled through their basestation code, and apparently they've forgone any kind of version control to ensure an optimally confusing work environment for their development teams: https://hmgstrategy.com/resource-center/articles/2019/04/04/...

Frankly, these products are likely unmaintainable long term without a total refactoring of the codebase, nevermind the abject lack of security.

The trick with these vendors is the codebase will never see serious improvement, as these basestations aren't going to be sold for the next decade, so Huawei will do the bare minimum and shelve support in short order.


Huawei's software development practices seem quite horrifying. Critical systems like these ideally would be written in specially-designed programming languages that support mathematically proving correctness (Coq comes to mind). There's probably still room in the programming language design field to create new languages that are user-friendly but also integrate Coq-like systems plus other verifiability and correctness techniques into the language itself.

If you find that horrifying, don't look at Cisco CVEs ;)

Or Juniper's constant flow of new CVEs, they are a popular alternative to Cisco that many ISPs use heavily :P

Network security is piss poor, most of these vendors add vulnerabilties atop secure distros (OpenWRT, Debian, etc) and flog it as the best thing since sliced bread.


It's not that much different from mercenary outfits like The Company Formerly Known As Blackwater. They offer services to all sorts of unsavory regimes. Hackers for hire are just another iteration on the idea.

No, it is very much dissimilar. Security personnel who work for Blackwater make a conscious decision to do so and are flown overseas to physically enact Blackwater's business decisions. Many (maybe most?) of the people who sell vulnerabilities and (to a lesser extent) exploitation tools to spyware firms are selling through brokers, and aren't directly connected to the ultimate end purpose of their work.

You can say that people who sell vulnerabilities to unaffiliated-seeming, neutral-seeming, innocuous-seeming brokers ought to know better where their work is going to end up, and I suppose that's true, but it's still not the same dynamic as exists with Blackwater.


Normally I agree with you on almost everything in this realm, since, well, it's your field of expertise.

But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.

If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.


Those people actually work for Blackwater. People who sell vulnerabilities by and large have only a vague idea of their customers. Many exploit developers would, for instance, draw a line between enablement of FVEY national SIGINT and shady spyware shops like NSO, and can rationalize that it's the good guys who are getting their bugs.

I'm not saying that makes it OK (I think the opposite thing, in fact, though I feel like I always need to add the disclaimer that the kinds of bugs that have commercial/operational relevance aren't the kind I develop). I'm saying that the dynamics are different than they are with Blackwater.


I think your mental model of how blackwater (and other contracting firms) works is off.

The vast majority of employees at these firms work for Aramark, or its equivalent.


If that's the case, I stand corrected, and they're actually pretty similar.

This kind of story in particular sure reads like digital mercenaries to me. It's not quite the same as what Hacking Group does! But a shady corporation hired former NSA hackers and partnered closely with the UAE to the point that the hackers themselves get cold feet because they learn exactly what their consulting was being used for.

I don't know enough about Hacking Group to know how closely they work with the people they sell to.

https://www.reuters.com/investigates/special-report/usa-spyi...


It wouldn't even matter if Huawei doesn’t and has never used their position in infrastructure to conduct spying or surveillance. The very fact that they’re entirely reliant on the Chinese government makes them (and any of their employees on an individual level) vulnerable to Chinese policy needs, now or in the future.

I don't quite understand the Huawei analogy. NSO isn't partnering with Israeli companies to preinstall malware on their stuff. So I don't see how this is an indication that a Chinese version of NSO will partner with Huawei to preinstall malware on Huawei stuff. If NSO can hack American software, then Chinese NSO can hack American software too.

The Israeli military-industrial ELINT industry and C4I people sell stuff to all sorts of authoritarian regimes. Even the ones that the US and UK won't touch.

Based on the Phalcon affair I don't think Israel exports to anyone the US didn't want them to have it, the last time they tried it basically toppled an Israeli government.

Why should a RAN have Internet connection?

IIRC FinFisher was founded by the same guy who created Backtrack (now Kali Linux)?



You the real mvp. Thanks.

Thanks!



I guess these types of vulnerabilities could be placed intentionally. It would allow certain agencies to again access via "exploit" and all the while claim they support user privacy. These companies are under pressure from governments (like the recent Australian government law to requiring access to encrypted messages). Seems like a decent solution for company and governments.

The industry calls this a "bug-door" and yes, plausible deniability is key. Most of this has been hypothetical possibility. This case does not fit that bill though as the vendor discovered it was being used by another country, prevented the exploit against a user, fixed it, and alerted the authorities. Would be more peculiar if it was a US-based company selling the spyware.

Do a Google search for "underhanded C contest".

It's not a decent solution, because it doesn't take much to find these vulnerabilities, just a matter of time.

But time is enough. New bugs can be introduced with the next update.

The update can be analyzed to see what was changed, even if we only have the binary executable. If we know that an app contains intentional bugs, just looking at where the update made changes could eliminate a lot of looking & find the bugs even faster! There are many automated tools that can do this too, eg. Fuzzing. The updates can also hint us where the previous bug was and what to look out for in the future.

So, nope. Introducing security bugs and backdoors just makes it insecure for everyone.


Oh, so you are reverse engineering and thoroughly analyzing every WhatsApp update? That's reassuring. Cause otherwise I'd have said nobody does this on a regular basis which would mean it still is a viable method.

It could be a very lucrative business. Some companies pay up to a million dollars for a WhatsApp bug https://zerodium.com/program.html

There is also a black-market that can be even more lucrative. A bug could be jackpot for criminals.

See also https://en.m.wikipedia.org/wiki/Market_for_zero-day_exploits

So yes, I'm pretty sure that there are various teams, including white-hats such as Google, black-hats, nation-states such as China / Russia, analyzing each and every update.

There was also an interesting article on hackernews a while back demonstrating the technique, there are some nice tools for this. Sorry, can't find the link now.


Their is an entire industry that either is already or definitely would be doing this if there were deliberate bugs in Apps.

There is, and there are.

There's also the curiously peculiar, and consistent, wording from companies that deny their involvement in programs such as PRISM [1]. As people seem to have forgotten about PRISM, NSA slides not meant for public consumption stated it enabled "extensive, in-depth surveillance on live communications and stored information" with examples including email, video and voice chat, videos, photos, voice-over-IP chats (such as Skype), file transfers, and social networking details.

But here's the fun part. Here are the corporate denials:

- Google: "We have not joined any program that would give the U.S. government direct access to our servers."

- Apple: "We do not provide any government agency with direct access to our servers."

- Facebook: "We do not provide any government organization with direct access to Facebook servers."

And so on. An exploit with plausible deniability enables these companies to make these comments completely truthfully, and at least mostly truthfully if they claim they are not providing a backdoor. But more to the point, there is absolutely no reason these companies would all say "direct access" as that's very specifically a subset of "access." If you do not facilitate direct or indirect access, why would you not simply say access? If this were a one-off thing, that'd be one thing since on occasion some PR is... odd. But literally all the companies were saying the exact same very peculiar thing. That's not a coincidence.

[1] - https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%...


It seems to me that if this is possible an OS software upgrade of some sort is urgently required, in addition to possible updates of WhatsApp. How come there isn’t coverage of this as Android and iOS vulnerabilities?

Gaining control of WhatsApp gains access to any API accessible to WhatsApp. Incompetent reporting may be at fault.

On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does so on iOS as well. Once granted, the app has access to any data available through access-allowed APIs.

App code goes through an audit process to ensure that the app isn’t using accessible APIs inappropriately, and doesn’t permit unapproved code execution.

This vulnerability allows an attacker to execute unapproved code in the WhatsApp context. Any API that iOS or Android offer WhatsApp under normal circumstances is now attacker-controlled.

The two questions unanswered by the press to date are simple. On iOS and on Android, can the attacker’s code be terminated by force-quitting and uninstalling WhatsApp?

Either the attack is persistent only because it sets up shop inside the app, which may have OS-granted background and/or screen-off execution rights, and thus can be terminated simply by quitting and removing the app — or, the attack gains persistence beyond the confines of the app.

Media reports are unclear on this point. If the OS offers apps endpoints that an app executing attacker-controlled code can use to infect the OS with persistent attack code that executes outside the app’s boundaries and remains after app uninstallation, then that’s absolutely a flaw in the design of the OS. As you say, “Android and iOS vulnerabilities”.

Is this the case?


Very interested to know what this means in practice, particularly for iOS.

AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc

Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?

How could the API's whatsapp does have access to be abused?


> How could the APIs .. be abused?

The app is infected, calls a 0-day using an illegal parameter that’s normally rejected by app store filters, and gains a permanent beachhead in your Android system services list.

> access photos in the background

Unclear. Apps can show thumbnail galleries of your photos within their native UI, so it may well be possible for them to continue directly to reading photos.

> access the camera in the background

Unclear. Does FaceTime continue transmitting video when the phone screen is turned off? Is it possible to capture stills or video when the screen is off on a jailbroken phone?

> or spy on the user in a broader way

Android WhatsApp seeks permission to read your SMSes, so that would be almost certainly correct as well there.


Well I was thinking specifically about iOS :)

There's no possible way to read SMS messages programatically in iOS for example, the closest you get is reading one time passwords sent, and you can only do that when the user has the keyboard open when the SMS is received.

I know Android is slightly more lax in this (and some other) regards. I wonder if Android whatsapp users targeted by this exploit have had more data exposed than iOS users targeted by the same exploit?


All WhatsApp iOS users have an unpredictable set of permissions granted, whereas all WhatsApp Android users have all permissions granted.

If I were a nation state attacker, I would be thrilled to find that my target was Android.


> access photos in the background

Google photos on iOS is able to upload my photos in the background so its possible


There should be different permissions for foreground and background access to APIs.

Or there should simply not be background access to certain APIs, such as camera, video, and photo library.

Background audio access on iOS presents a bright red indicator on all non-app screens that can neither be hidden nor removed, as it’s baked into the OS. iOS may require a separate permission dialog for “capture video with sound” and “record sound with/out screen on”, I don’t know. I doubt Android bothers to do any of this.


Agreed. Or at least an admin app that lets the user see which APIs are being accessed by which app.

Do you happen to know if upgrading the app would remove persistence (inside the app)?

Without knowing how they infect the app? No, I cannot know.

CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why this was implemented in native code - Android seems to have an `android.net.rtp` package?

Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?


Also, what exploitation mitigations are broken on Android/iOS such that a buffer overflow is reliably exploitable? Are their implementations of ASLR useless? Is it trivially bypassed? Is mandatory code-signing not enabled/enforced?

All very good questions, hopefully we can get some more information as time progresses (maybe a PoC, or at least a technical write-up on the specifics)

Is Android.net.rtp available on every support Android and Google Library version combination that WhatsApp natively supports?

AIUI, no. That package was added in Honeycomb (API level 12), whereas WhatsApp currently supports Gingerbread (API level 10).

However, two API levels of compat. seems like a good trade to me in order to avoid an RCE.


How many millions of users would be excluded if they chose that path, and are their controlling shareholders okay with that reduction of active users?

I suspect we'll never know for sure, but we can guess. ~73% of users apparently use Android to access WhatsApp [1]. As of the start of 2018, WhatsApp had 1.3 billion monthly users [2].

Less than 0.3% of Android users globally use an incompatible API level. If we assume this applies equally to the WhatsApp userbase (and old-Android users are represented with the same proportion in the active monthly users figure) and use 0.3%, we have 2.8 million potentially impacted users. At the current rate of about 1M new users per day, it'd take two or three days for this small slice of the userbase to be replaced.

It would've been losing 0.0219% of their userbase to avoid an RCE that impacted 100%. Now, how much revenue did those users bring in? And how much has this announcement damaged facebook's share price?

[1] https://venturebeat.com/2015/08/27/three-quarters-of-whatsap...

[2] https://techcrunch.com/2018/01/31/whatsapp-hits-1-5-billion-...


I agree with your point, given that data.

I wonder! Should we call it a vulnerability or a leaked backdoor?

Besides, I think if it was from any other developer, probably it would be removed from the AppStore and force delete from user devices.


All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.

Before someone says something about government surveillance of fiber cables. Yes, that is also bad, but exploiting vulnerabilities to install spyware on peoples phones... It crosses yet another line that shouldn't ever be crossed.


All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.

Gamma Group is an Anglo-German company that provides similar surveillance software with government blessing and endorsement. Hacking Team (Italian company) sells similar surveillance software to various European governments. Before an embarrassing data breach in 2015 they also used to sell surveillance software to various totalitarian regimes outside Europe.


> Before an embarrassing data breach in 2015 they also used to sell surveillance software to various totalitarian regimes outside Europe.

Why do you think they stopped selling to those regimes? (I didn't follow the issue after it disappeared from the news)


If i remember correctly, the Italian government at the time made some noise - they weren’t happy to find there was no exclusivity in the relationship, so to speak. They kinda threatened to cut their contracts. To be honest I don’t know how it ended, it fell off the news in Italy too and that was it. Behind the façade of barely-organised anarchy, Italy is an instinctively authoritarian country and blunt instruments are considered fair game more often than not.

There was Stuxnet, which was almost certainly a joint US/Israeli operation (likely other minor players involved), and plenty of other programs we never hear about.

>All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.

You've led a very sheltered life if you think the Russians and the Chinese have been more evil than the Americans or the Israelis. I suggest reading history - a lot of it. When it comes to governments there are no good guys, only bad guys.

dash2 8 days ago [flagged]

I’ve read a lot of history. Your last statement is kind of fair. Your first statement is not. (Does eg US imperialism make Roosevelt no better than Hitler? Of course not.)

The Russians and Chinese are doing many things worse than what the US does: Ukraine, the Uighurs.... Both are far less bound by the rule of law. Neither have any serious form of democracy.

False equivalence is a specious but dangerous form of reasoning.


The US has killed millions of people in the last 15 years alone in Iraq, Afghanistan, Libya, Syria, Yemen and a dozen other countries that we have bombed or invaded (including the 8 we are bombing right now). I'm under no illusions about the many despicable things done by the Russians and the Chinese, but its simply absurd to contend that their behavior has any worse than the United States. We have more of our citizens locked in cages than Russia and China combined. We have toppled more governments and invaded more countries than Russia and China combined by a factor of 10 (or more) since the end of World War II. Its astounding how willfully blind people can be when it comes to their own government. We can't become the good guys until people wake up and acknowledge that there haven't been any good guys.

The US has not killed millions of people in the last 15 years that is just a blatantly false statement. A quick search on Google or Wikipedia will refute your claim instantly.

Can you provide a decent source for your millions of casualties claim or for you claim about the US toppling more Governments than Russia/China? I bet you can’t.

Judging by your username I believe you know some things about history. Why spread false info?


Washington DC-based Physicians for Social Responsibility (PRS) released a landmark study concluding that the death toll from 10 years of the “War on Terror” since the 9/11 attacks is at least 1.3 million, and could be as high as 2 million.

https://www.psr.org/wp-content/uploads/2018/05/body-count.pd...

It's not that hard to believe surely? There have been plenty of other reports showing similar numbers.


> We have toppled more governments and invaded more countries than Russia and China combined by a factor of 10 (or more)

Russia/Soviet Union is roughly on par with the US on the invasion/occupation/regime change count -- of course they did it mostly in eastern Europe, the Caucasus and the MENA region rather than in Latin America.


Roosevelt personally? No. America as a whole? Yes, comparisons can absolutely be made between America's and Hitler's genocidal philosophies, as the former influenced the latter[1].

1. https://www.newyorker.com/magazine/2018/04/30/how-american-r...


> Before someone says something about government surveillance of fiber cables.

Anything that goes unencrypted over the internet is (a) public and (b) liable to be changed by anyone on transit. It's like a travelling wikipedia article.


I would be shocked if any moderately wealthy government hasn't crossed that line. This is child's play for cyber warfare.

I remember when "spyware" was just malicious advertising programs designed to sell your browser history + replace ads.

(Eg: https://en.wikipedia.org/wiki/CoolWebSearch)

The MySpace era was a simpler time...


And the US government's blessing. Along with the UK, this is how the US indirectly spies on its own citizens.

I love how you’ve been convinced that Russia and China are naughty and Israel is somehow too good to be shady.
macintux 8 days ago [flagged]

Well, the first half of that statement seems undeniably true.

Absolutely. But no more naughty than USA or Israel, as far as I can tell.

Hmm, I don’t want to get into a state wickedness bidding war, but the US/Israel are democracies where you are unlikely to be eg locked up without a fair trial. Contrast with the fate of the Uighurs.

In foreign policy it’s more balanced (supporting Syria vs Saudi Arabia) but even there, Russia is clearly trying to subvert foreign democracies. China is (perhaps reasonably) pushing for more power in Asia. And while the US support for human rights is patchy, China’s is non-existent.

Then there’s the Palestinians... (sigh)


Story time.

A close friend of mine was held in custody in the US based on false accusations by a police officer.

The police officer later admitted the false accusations to the judge, that he just wanted to "scare him a bit". The judge nodded, proceeded to aquit him of all offenses exept the speeding ticket which he deserved, and off he went.


Yeah that's local corruption and still far away from what the Uigurs have to go through which is state policy.

Which democracies is Russia trying to subvert in ways the US isn't? You could argue that Russia is supporting nationalist movements in most of Europe, but there are very similar efforts from the US.

For example, in my own country, Romania, US religious groups stoked local religious groups to initiate a referendum to change of our constitution to ban gay marriage (they actually made it through all the steps and the referendum was held, but so few people showed up to vote that it fell through). Would this count? It was done through false news and propaganda (and probably some minor corruption, but that's just par for the course), but otherwise through legal means - same as all modern Russian influence in Europe that I've heard of.

Let's not forget that the US has explicitly assassinated its own citizens for 'suspicion of terrorism' as well, though they're at least not assassinating their own citizens on their own territory, and not in the kind of huge numbers that Russia and China are.


And you think the US isn't trying to subvert foreign democracies?

> US/Israel are democracies where you are unlikely to be eg locked up without a fair trial.

MKULTRA, guantanamo, Stuxnet, PRISM and other 3 letters agency abuses [0][1], &c. and that's only the stuff we know about.

> Then there’s the Palestinians... (sigh)

See: https://www.dw.com/en/trumps-golan-recognition-a-dangerous-p...

[0] https://en.wikipedia.org/wiki/Global_surveillance_disclosure...

[1] https://www.aclu.org/blog/national-security/privacy-and-surv...


Statistically unlikely, yes.

Grand total, you are talking about a couple thousand people over half a century.

China does worse in a month in Xinjiang. The excesses of western nations stand out like a sore asshole so badly because they are such exceptions to the general rule of law they experience.


Propaganda at work it seems

To be fair it's not just about the software but about the country too. We know know China's policy on censoring the web. Russia is not the sort of place that tolerates activism against Putin. So when you combine this with hacking people's phones it does make it much worse.

>All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.

Yep, manufacturing of consent at play.

But this aside, I have a friend who worked in Israeli company whose main business was to sell phone exploits and customer data by using the still very insecure SS7. Basically they were registered as voip operator, but according to my friend that was only a cover, and the real business was selling surveillance data they were gathering via SS7.


Hey Zaro. The author of the FT article would love to have a chat with you and maybe get a quote for a follow-up article. His email is: mehul.srivastava@ft.com

work out what your enemy considers an uncrossable boundary - then cross it - gets them every time.

source - Art of War, probably...


Not at all, many EU countries produce such tools, some even commercially sold.

> All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.

They're build by any government/entity having sufficient resources to build them, there is no good or bad guys in that story.


crossing a new line is a way to signal your opponent that you're unafraid of any and all of their potential retaliation. it is a way to tell them that (you think) you dominate them.

> That's some very shady stuff.

By them, I’m not surprised. And I’m not being anti Semitic. I’m just calling fact.


They managed to destroy Iranian nuclear centrifuges using a very sophisticated attack. Read up on Stuxnet.

Also, as an Israeli, I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary. The fact that others think that such a thing as "boundaries" exist only serves as an advantage.


I agree. Nobody should underestimate the Mossad: https://youtu.be/bJujIwtdk8w

From my favourite Usenix paper (https://www.usenix.org/system/files/1401_08-12_mickens.pdf):

Basically, you’re either dealing with Mossad or not-Mossad.

If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru.

If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.

And:

Threat: The Mossad doing Mossad things with your email account

Solution: Magical amulets? Fake your own death, move into a submarine? YOU’RE STILL GONNA BE MOSSAD’ED UPON

(That's perhaps a little too light-hearted humor, considering the youtube link in the post I'm responding to...)


Fun fact: The mossad ran a job ad on facebook a while ago, which involved a sequence of riddles. First discover a server based on some random seeming sequence of characters on an image. Then you had to solve a number of programming puzzles. I stopped at the third one, because I don't actually want to work there.

Suddenly I’m less impressed in the Mossad. Really they recruit hackers on FB?

If I do a quick samples of people I know, there’s a super high correlation in being a hacker/developer and not using Facebook. Maybe they should try HN instead.


And now orbifold is on one of their lists...

Have fun in the submarine!


> ...they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.

That's basically Israel's attitude on anything: doing anything they want without any kind of boundaries, then denying brazenly they did it, while doing it again and again. Like having snipers shooting at thousands of civilians, kids, journalists, paramedics, who are protesting inside their own borders.


> doing anything they want [...] then denying brazingly

That’s actually a time-honoured Russian/Soviet SOP, currently embodied by Mr. Sergey Lavrov.

The USSR had a lot of influence on early Israel, and it shows in many little things like this.


I'd say it has more to do with the very Jewish concept of chutzpah. According to Wikipedia, the term is used "to describe someone who has overstepped the boundaries of accepted behavior" and "Chutzpah amounts to a total denial of personal responsibility, which renders others speechless and incredulous".

The term used to have a very negative connotation, but interestingly, Google says "usually used approvingly". It seems to fit pretty well the descriptions of the "rudeness" and "boldness" in common Israeli culture.


> It seems to fit pretty well the descriptions of the "rudeness" and "boldness" in common Israeli culture.

Also seems to be a pretty accurate description of SV/startup culture too...


> Like having snipers shooting at thousands of civilians, kids, journalists, paramedics, who are protesting inside their own borders.

Ugh... this is so myopic and sounds like you're intentionally not telling the truth.

all those "kids", "journalists", and "paramedics" were shown to be carrying bombs or other explosives.


Hm. All six thousand of them? Kids? Paramedics? Journalists? Do you have any sources for that?

I'd think the onus should be on you to prove that there were 6000 kid, paramedic and journalist deaths.

I'm not arguing that terrorists/soldiers/murders were killed, you are the one claiming that a reflective vest puts someone above the law.

On top of the 1000s of staged or edited photos/videos coming out of pallywood on a daily basis it's nearly impossible to take anyone making such claims seriously. as they are almost always full of misinformation/lies.


> the onus should be on you to prove that there were 6000 kid, paramedic and journalist deaths

Sorry, maybe I wasn't clear. I didn't mean that all the people shot by snipers (not killed- just shot, usually in the legs and often causing permanent disabilities) were kids or paramedics or journalists. I was questioning your statement that "all ... were shown to be carrying bombs or other explosives". It's quite a categorical statement, and almost certainly wrong.


Ok... so again, show that there were 6000 kids, paramedics and journalists who were shot...

Also your unbridled hate for all things jewish kinda outs you as a biased party.


That is an amazing article.

Mikkens has a track record of writing stuff like that. It's worth hunting down and reading pretty much everything he's published.

classic Mickens. I just died laughing. thanks for making my day

I would have labeled the article a piece of defeatism disguised as satire, if not for this:

Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, “SCREW IT WE’RE GOING TO THE MOON.” I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim’s hair. If that’s how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological mandibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.

This I like.


> Also, as an Israeli, I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary. The fact that others think that such a thing as "boundaries" exist only serves as an advantage.

Maybe as an Israeli you can see the hypocrisy in stating that there are no boundaries when, if it wasn't for a large part of the world deciding that in fact there ARE boundaries that should not be crossed, the Nuremberg trials would never have been held and Israel would not exist at all.

But you go ahead and ignore your own history.


From what I've seen, they're not at all unique. Maybe they're more honest about it, though. And given that they're surrounded by enemies, they must maintain that reputation.

"I'm crazier than you are." has always been the US position re strategic nuclear weaponry.


Interesting to hear about this lack of boundaries among Israelis, is this only for non-Israelis or do you/they cross each others boundaries? Is this a cultural thing, why do you think this the case?

> Is this a cultural thing

Israelis in general are very blunt and perfectly willing to question superiors and voice opinions and questions in situations where Americans never would. This includes the military where subordinates would question a superior in a way that would never fly in an American military (and probably others).

Israelis on the street will voice opinions to strangers in a way that would be perceived as incredibly rude elsewhere, but is normal in Israel.


> Israelis in general are very blunt and perfectly willing to question superiors and voice opinions and questions in situations where Americans never would. This includes the military where subordinates would question a superior in a way that would never fly in an American military (and probably others).

Well, they claim they are but you don't see anything at least from outside. From outside it seems they are easily buying whatever government is selling to them. Working on surveillance projects is rather embraced and you even receive strong social support for it.

So I don't get how do you compare it to the US! Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong. Not to mention many anti-surveillance activists are based in the US. I believe that is a very unfair comparison.

The truth is every country you look people are a bag of goods and bads and they manage to find greedy people to work on surveillance projects even in the EU.


You have this strange assumption that people are supposed to find something wrong with surveillance projects.

> Working on surveillance projects is rather embraced and you even receive strong social support for it.

That's right, because there's nothing wrong with it.

> So I don't get how do you compare it to the US!

Because I'm not comparing surveillance projects, I'm comparing modes of speaking.

> Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong.

Because it's quite obvious to the ordinary Israeli that surveillance projects save lives, so obviously they would want to work on it.

The US isn't under quite the same level of attack, although it's far from clear there is supposed to be something wrong with it in the US either.


> Israelis on the street will voice opinions to strangers in a way that would be perceived as incredibly rude elsewhere, but is normal in Israel.

What do you mean, for example?


If they think you didn't dress your child properly they'll tell you. Or they'll hear you talking about something and give you advice on what to do without any embarrassment on that fact that they overheard you.

You're fighting with your teen, in the US everyone would turn away and pretend not to hear, in Israel they'll just openly talk to you about their own teen and what they did, etc. and then half the bus would chime in. They're all really nice about it mind you, just trying to help.

Israelis think of everyone as part of their personal family, even strangers are really distant relatives, is I guess a good way to put it.


Israelis grow up with almost no notion of personal space. It’s just not a thing over there.

The Wired writeup on Stuxnet and the actors involved was an incredible read:

https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/


How do they differ from international terrorists then?

They're a government that the US recognizes, and that's widely recognized by other governments that the US recognizes. That makes them legitimate. Terrorists by definition do not include legitimate governments. Anyone that doesn't agree is a "terrorist sympathizer".

I don't necessarily agree, but that's just how it is.


But no "government" was involved. This is a private company with international investors.

Why isn't anyone mad at Apple who (falsely) advertises iOS as being "Secure By Design?"


> But no "government" was involved.

Huh? This is Israel.

And some of us are mad at Google and Apple for selling such insecure-by-design junk. By that I mean that apps are trusted more than (and can't fully be controlled by) device owners.


I don’t think the trust policy has much to do with this. At the end of the day, an app exploit is an app exploit, and if an app can make calls, an app exploit will be able to make calls too. As long as the exploit is not allowed to burrow in the OS proper, it likely wouldn’t be any different on Linux or a BlackPhone.

I guess. But as I understand it, it's much harder to lock down apps on phones than on Linux. Users can't directly control networking, for example. And have zero insight or control over the cell modem. Even doing a real firewalled VPN on smartphones is virtually impossible. And I don't believe that one can do VirtualBox or KVM or whatever virtual hosting on them.

> This is a private company with international investors.

Knowing nothing about the company in question, I'm still certain that most of its founders, investors and employees come from 8200. So, government doesn't need to be formally involved in any way, it's just the same social circles, everybody just knows everyone.


What do you even mean by "international terrorists"? Is it what your government calls "international terrorists"? If so, then by definition they differ from, say, Al-Qaeda by the fact, that they are considered an ally by the USA (well, that, and that they have more resources).

Otherwise, it is your choice, whether you need a distinction like that. I don't see how it might be useful.


How is a hero different than a murderer? It’s all in the eye of the beholder.

Not clear whether you consider this a good thing or a disgrace?

Exactly.

As another israeli - certainly a good thing. For a nation in our position, in a deeply hostile region, where a major military defeat is certain to be genocide, doing everything possible for national defence is the only way possible to survive. Stuxnet in particular is something that I'm extremely proud of.

You say this as your country is invading and occupying land that doesn’t belong to them and murdering innocents to drive them out. Yeah, nice way to be proud.

very hard to think of any country that has NOT done this. History shows that people and their countries do bad things.

True, but there is a difference between 'my ancestors have done this' and 'some of the taxes I'm paying are going into continuing the occupation; I've voted for the people who are ordering the air strikes'. There's fewer countries where that's true today.

Not a very hard-hitting analysis.

This is a childish excuse.

whataboutism

Well, that's your interpretation of the events, and one-sided and not a very truthful one at best.

It is the interpretation of all of the international community except for the US and Israel. The UN has repeatedly voted to recognize this, often being blocked by the US. There is no real controversy on this.

Edit: see https://en.wikipedia.org/wiki/United_Nations_Security_Counci...

The entire UN Security Council officially recognized this, with even the US not using their veto power (they abstained).


I'm well aware of UN position on Israel, I just don't understand how anyone who knows how this organization operates can pretend it represents "international community" or has any moral authority.

You characterize it as a superficial institutional opinion rather than the judgment of the vast majority of humanity.

So when you say that stating there are no boundaries is a good thing for Israel, would you have held that same view in the 1930's and 1940's when most of Europe was busy trying to resist another organisation that also did not believe in boundaries?

Why do you think their opinion should be expressed in their comment?

> I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary.

Is this a subtle reference to the Israeli occupation of Palestine?


My comment has nothing to do with Palestine.

Well, it applies perfectly.

> The fact that others think that such a thing as "boundaries" exist only serves as an advantage.

Isn't this how villains in Marvel movies work?


"Russia has no boundaries."—V. Putin

[flagged]


Unsure if joking. Look up stuxnet

Read the Wikipedia entry on Stuxnet [1] for more details.

> Stuxnet targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a jointly built American/Israeli cyberweapon.

[1] https://en.wikipedia.org/wiki/Stuxnet


I’m sure it was completely Israeli government involvement with the technologically advanced US playing no lead role. ...

The US provides the VC funding.

Story checks out

You're talking about a government that has a long track record of assassinating and abducting people in other countries, including Western liberal democracies.

https://en.wikipedia.org/wiki/List_of_Israeli_assassinations...

https://en.wikipedia.org/wiki/Mordechai_Vanunu#Disclosure,_a...

Whatever lines there were, they have long been crossed.


Abducting people in western countries unfortunately seems to be the norm in the war on terror, not only by the Israelis [1].

[1] https://en.m.wikipedia.org/wiki/Abu_Omar_case


[flagged]


[flagged]


Please don't break the site guidelines by feeding trolls or taking threads further into flamewar. That only makes this place worse.

Instead, flag the comment. Other users did that, which killed the comment and alerted us so we could ban the account. In egregious cases, you can also let us know about it at hn@ycombinator.com.

https://news.ycombinator.com/newsguidelines.html


Please stop writing these kinds of comments that only further flame wars here. Thank you.

"update the app" is the sum of the advice?

how about telling us how to check if this exploit was used, how to remove the spyware, etc?


I'm not sure what can be done nowadays. In the past you would say, format disks and go back to a backup before the threatening event happened. But nowadays all our stuff is in the cloud and you can only go back to the state from 10 minutes ago, and all our disks are flash drives that you can't fully format as an end user. Maybe you can just accept that some virusses will always be there and act accordingly.

Some of us do snapshot backups.

Would be nice to have a tool that everyone on the planet could use to run against those backups and find a common source of the infections, along with an idea of when it was found in the wild.


How were they able to install spyware on iOS devices?

No one has confirmed whether they were able to install anything beyond the confines of the app on iOS. The press are not particularly qualified to evaluate that consideration and have been doing a poor job of blurring what’s unlikely/impossible on iOS with what’s likely/possible on Android.

The spyware is only inside the WhatsApp sandbox.

Most likely by exploiting an iOS vulnerability . (Which might be unrelated to the WhatsApp bug, other than using it as a vector.)

Or Android devices for that matter; app code is sandboxed and signed, and requires user interaction to download any non store code

The secure enclaves on Android smartphones have a poor track record. Even the top-of-the-line manufacturers have seen published hacks of their TEE environments, and those are usually just the tip of the iceberg. Android is incomparable to Apple's platform in this regard. (I'm not trying to argue the iPhone is unhackable, though.)

FWIW, I'm an Android user.


The Pixel 3 has a "Titan M" chip with much reduced attack surface compared to the TEE. Don't otherwise know much about it.

Still leaves 99,9999% of the Android market vulnerable.

I still agree that's an issue and I'm wondering if the Titan M chip is going to be a Google exclusive or if it's going to be licensed to other OEM's at some point.

right?

Since there's no version information available, I think it's safe to assume they haven't been doing it on iOS for several years.

It's not clear to me if you're right, but I would rephrase the issue this way:

If there's a vulnerability in Whatsapp, the injected code should only affect Whatsapp.

Otherwise, it's (also) a vulnerability in iOS.


That might be enough for what they are doing. At least it will allow them to spy on whatsapp messages and parts of the system that Whatsapp can access (contacts etc)

Ofcourse the whole point of Whatsapp is secure communications and I guess the exploit makes that pointless.

What about Wechat? There are lots of seemingly pretty girls trying to voice or video call these days. Either I'm suddenly rich in their eyes or there's something fishy going on.

That’s the more traditional scamming/phishing, which has been going on since the days of ICQ...

Name a chat app and I can provide a link or comment from someone saying the same thing about pretty scam girls. Facebook, Whatspp, Gmail, Kik, Snapchat, Instagram, and even BBSes, AOL, IRC etc...

Just to be clear – does this affect iPhone, or just Android?

Affects both

Thanks. Is there a way to detect the infection?

Wonder if this affects Signal, too.

My gut tells me no. Signal switched over to using the Signal Protocol for call signaling. It had used a few different signaling standards over the years (when it used to be called Redphone).

However, it's impossible to really know for sure as the server component for calls is a proprietary black box.


Agreed. It seems more plausible that the "injected code" would be limited to (1) the WhatsApp app, and (2) the infrastructure outside of the Signal Protocol implementation. If true, this still poses a problem to comms/calls secured end-to-end with the Signal Protocol impl - because once decrypted on the client, the rest of the WhatsApp may be compromised and able to exfil comms.

I will be surprised, if this vuln allows the attacker control outside of the WhatsApp app sandbox to other parts of iOS.

(I will be less surprised if the above is possible in Android)


> However, it's impossible to really know for sure as the server component for calls is a proprietary black box.

I thought that changed after migrating to WebRTC? Although I haven't tried to spin up my own Signal server, modify the APK and see what works and doesn't work.


I like it how Facebook doesn't mention anything in the WhatsApp changelog about this.

Apple won't let you change a changelog after the binary is built and put on the store. So if you want to get a fix out, but not alert people that you're on to them, you have to put out a changelog that just says something like "Bugfixes". Then you have to build another build and submit another changelog, but Apple probably won't let you issue builds that are duplicates...

Spooky. I just travelled to Israel and this evening, at around 3 AM, iOS notified me that WhatsApp had been accessing my location in the background, which I had never seen before except when sharing my location with a friend.

Updated WhatsApp on my iphone just now. The version I got was 2.19.50. According to the CVE it's still vulnerable. Unable to get 2.19.51 which is the first fixed version. Is this just me? Or is everyone else updating to a still-vulnerable version?

You need to go to the app store app, then the updates tab and pull down to refresh(yes, the updates tab, not WhatsApp listing in the store). When you do that, you'll see the newest version becomes available for update. This happens whenever an update is set to phased release and hasn't reached 100% yet.

Have you tried pulling down on the updates screen of the iOS app store? It refreshes the list of apps to be updated.

That did it. Thank you. And to think I thought I installed all of my pending updates yesterday.

Just updated via UK iOS app store and its 2.19.50

You're still vulnerable then.

"Affected versions: ... WhatsApp for iOS prior to v2.19.51" from https://www.facebook.com/security/advisories/cve-2019-3568

The news outlets are all telling us to update, but until WhatsApp/Apple get their act together, there's no point. Worse still, people won't realise they need to do it again and will remain vulnerable indefinitely.


Lol, App Store for 2.19.51 describes the update as:

> You can now see stickers in full screen when you long press a notification

If that’s how we encourage critical security updates, I’ll suspect that Facebook themselves are behind all of this.


I don’t think this is a conspiracy by Big Social. If they really want to do that, they can still do that.

I assume the stickers thing truly was the most notable patch, and they didn’t want to scare people & tip off the attackers.


If I were anti-update (and sometimes I am, eg: limited bandwidth), full-screen stickers is the most unnecessary update I could imagine.

At least say something like “bug fixes”. Some kind of carrot to discourage me from thinking “Total waste of time and too many developers”.


I'm on Android. It auto-updated on May 10th to v2.19.134

"The issue affects WhatsApp for Android prior to v2.19.134"


The problem is iOS AppStore. If you update via the "Updates" tab, you don't get the latest version. But if you search for WhatsApp as if installing it for the first time, then you get the new version.

Yep sure, I was just reporting from the Android side since your comment caused me to go check.

We need open source software to decentralize large companies’ closed server farms and WhatsApp.

Can the WhatsApp-injected spyware escape the iOS App Sandbox?

I was wondering the same. I would hope no, but even so, WhatsApp has plenty of permissions that make it a valuable target.

Yeah, don't install any Facebook app... use the web if you need to use their service... same advice has always been true.

Isn’t this also a screw up by Apple?

Isn’t Sandboxing supposed to prevent this from getting any worse than hacking the app itself?


Userspace isolation doesn't matter when the malware only cares about what's in userspace.

Isn’t every article about this saying it persists, without saying how or whether it’s a sandbox escape? If it just spins up bad code in WhatsApp space, that’s sufficient to spy on you.

I'm sure I saw one say it infected the OS. I would like to know some more proper details too.

Can anyone advise on minimum version numbers containing the patch (on IOS and Android)?



WhatsApp belongs to Facebook

Some of the largest data breaches in the last few years related to facebook

and yet

They continue do whatever they want

GDPR made no difference at all... Only hurt the small-medium business

FB, Google, Aamazon just keep doing whatever they want, protected by army of lawyers


The article is behind a paywall. Here is a BBC link: https://www.bbc.co.uk/news/technology-48262681

is this how saudi activists were tracked or uae tapped the phones of govt officials from various countries?

Here's an article without paywall: https://www.bbc.com/news/technology-48262681

This was behind a paywall, here is a similar article:

https://www.bbc.com/news/technology-48262681


Why is that even possible? It's horrifying that simple voice calls via an app allow that kind of attack.

Cellular broadband modems are running a tiny OS that can be hacked by sending SMS messages with a carefully crafted NUL byte. Battlestar Galactica’s “no networking, no wireless” computer restriction exists for a very good reason.

A

Paywall, really?

Why was the word "Israeli" removed from the title?

I took it out because the thread was veering into generic flamewar about Israel. Actually we often remove country names from titles because they trigger people into making more nationalistic comments, which are equal parts indignant and boring.

That's a bit of a pathetic policy if you ask me. In my opinion a country who permits this type of behaviour shouldn't be shielded from the ensuing negative press. If anything it might encourage otherwise unaware citizens to put pressure on the government to do something about it.

I hear you. I agree with your second sentence. But I'm trying to protect HN, not Israel or anyone else. This place is fragile, and when people bring the fires of the world here, it can only take so much.

I wouldn't call that kind of title edit (taking out a country name) a policy. We have an ad hoc bag of tricks and sometimes we use one and sometimes another, depending on what feels needed. Do I know how unsatisfying that sounds? You bet. Do I get how it opens us to accusations of bias? I do, better than anyone else does. But the threads are too complicated to be managed with precise formalizations.


Ack. I can see it's a tricky balance to maintain.

Q.E.D.

Dan, you know what would be cool for HN comments? The ability for each node of a thread to be annotated with topic names. For example, if the node close to the root node here were to be labelled "Israeli politics", I, a user interested in the technical aspects of the topic, can immediately avoid it. This feature will be a killer feature for all topics that have divergent sub-threads! (I haven't thought further than just the annotation by end user feature - so, whether it ought to be at user level or a global one ... I don't know). :-D

Oh, I see, that makes a lot of sense actually. Thank you for your service!

It's not much of a service but I appreciate the kind words.

OT, but scroll down with “showdead” and it should become apparent exactly why. It is HN trying to promote substantive discussion on the topic without devolving into flame war.

WhatsApp voice calls used to inject Israeli spyware on phones

Messaging app discovers vulnerability that has been open for weeks

NSO's Pegasus software can allegedly penetrate any iPhone via one simple missed call on WhatsApp

Mehul Srivastava in Tel Aviv MAY 13, 2019 Print this page

A vulnerability in the messaging app WhatsApp has allowed attackersto inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.

WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.

The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.

WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, a person familiar with the issue said.

As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method.

Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to technology developed by NSO, which was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.

NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.

NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime.

In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.

WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday. The US Department of Justice has also begun looking into the situation.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”

NSO declined to comment on whether it had hacked WhatsApp’s messaging service, and marketed the technology to clients, or on the US DoJ inquiry.

The UK lawyer, who declined to be identified, has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada, sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.

John Scott-Railton, a seniorresearcher at the University of Toronto’s Citizen lab, said the attack had failed.

“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”

Other lawyers working on the cases have been approached by people pretending to be potential clients or donors, who then try and obtain information about the ongoing lawsuits, the Associated Press reported in February.

“It's upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us, itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”

On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.

Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the ministry of defence to cancel NSO’s export licence.

“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.

“The Israeli ministry of defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”

Copyright The Financial Times Limited 2019. All rights reserved.


Nice of you to include the copyright line in your violation of same.

Is this the full FT article?

Looks like it, from the archive.is link above.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: