In brief: WhatsApp is seeking an injunction against Israeli firm behind the infamous Pegasus spyware for facilitating a sophisticated cyberattack. The company says there were 1,400 hacking attempts directed at its users, which were made possible using fake WhatsApp servers. The security hole is now patched, but there are others that could still expose users of the encrypted chat app to the same kind of risks.
Back in May, news broke of a major software vulnerability in WhatsApp that would allow hackers to load spyware tools onto a smartphone with a simple call. The exploit also worked without the user answering the call.
The Facebook-owned company recently filed a suit against controversial Israeli firm NSO Group, alleging they facilitated hacking attempts on over 1,400 mobile devices. Intelligence agencies and governments routinely license its infamous Pegasus software tools to track terrorists, but there’s a lot of potential for abuse by totalitarian regimes and other malicious actors that want to silence journalists and human rights activists.
WhatsApp believes the responsibility for misuse lies solely on the shoulders of NSO Group, but the latter thinks it’s doing its best to prevent that from happening. The chat app has collaborated with researchers at the University of Toronto’s Citizen Lab, and says it has proof that NSO set up fake WhatsApp servers to make the targeted phones easier to breach.
It’s estimated at least 100 of them are owned by prominent religious figures, journalists, TV personalities, political dissidents, and lawyers that focus on human rights. WhatsApp informed everyone who was targeted using special messages, and has since patched the security hole.
NSO said in a statement that “in the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. … It has helped to save thousands of lives over recent years.”
Will Cathcart, head of WhatsApp, wrote an op-ed in the Washington Post where he called for an immediate ban on the sale of Pegasus, and argued the privacy risks aren’t worth having these tools available on the open market. He also fired back at those who, like the US Department of Justice, are pushing for technology companies to develop backdoors into their products.
That said, there are similar vulnerabilities in WhatsApp the company has been taking its time to fix. One example is a bug that allows hackers to take over conversations, which hasn’t been fixed after over a year. Not to mention that NSO’s spyware tools are able to steal data from your Microsoft, Apple, Google, and Facebook accounts.