Facebook and WhatsApp file suit against NSO Group.
WhatsApp is suing NSO Group and its parent company Q Cyber Technologies, accusing NSO of hacking WhatsApp to target 1,400 mobile phones with NSO's Pegasus spyware, CNBC says. The complaint alleges that NSO Group wasn't able to break WhatsApp's encryption, but it gained access to target's devices in order to read the messages after they were decrypted. The buffer overflow vulnerability exploited was described by Check Point and others earlier this year and NSO was already suspected as the culprit behind the attacks, but the lawsuit is the first time Facebook and WhatsApp have publicly accused the company. Facebook also deleted the accounts of NSO employees from its platforms the day after filing the suit, Ars Technica reports.
In a Washington Post op-ed, WhatsApp head Will Cathcart said the attacks targeted "at least 100 human-rights defenders, journalists and other members of civil society around the world." According to the Financial Times, a "considerable number" of those targeted were from Rwanda.
WIRED notes that the plaintiffs may find the case more difficult to argue in court than it might initially appear, because NSO Group doesn't seem to have hacked WhatsApp's servers directly. Rather, the spyware company allegedly reverse-engineered the app to create a malicious version that imitated legitimate WhatsApp traffic. This tool was able to transmit data through WhatsApp's servers as if it were a normal version of the app, enabling delivery of the malicious payload to the target's device.
This seems an apparent violation of WhatsApp's terms of service, under which reverse-engineering and sending malware are prohibited, but WIRED points out that a terms of service violation on its own probably wouldn't constitute a violation of the Computer Fraud and Abuse Act (CFAA). The plaintiffs may try to argue that NSO's misuse of WhatsApp's servers to transmit unauthorized data constituted unauthorized access, but this too could be a difficult case to make. A WhatsApp spokesperson wouldn't provide WIRED with too many details of the company's legal strategy, beyond acknowledging that "[t]his is not a typical CFAA case."