WhatsApp security flaw used to install Israeli spyware
Posted: Wed Dec 04, 2024 7:17 am
A major security flaw affecting WhatsApp's "phone call" feature was fixed on Monday, May 13, the Facebook-owned company announced. It could have allowed spyware to be installed on a user's phone without their knowledge if the user did not pick up when they received the "infected" call. WhatsApp users - 1.5 billion people worldwide, according to the company - are being encouraged to update their app if it has not been done automatically.
Difficult to detect, the security flaw in question could only be found by high-level teams. According to the Financial Times , it was exploited to install Pegasus spyware from the Israeli company NSO Group, which supplies its software to security forces in many countries around the world, including regimes with little or no democracy. According to the anti-surveillance NGO Citizen Lab, a lawyer campaigning for human rights was targeted on Sunday, May 12 by Pegasus . The program allows in particular to collect the geolocation of its target, to read their messages and emails, and to trigger the microphone and camera of their phone without their knowledge.
"NSO Group sells its products to governments known for their repeated violations of human rights, and provides them with the tools to spy on their opponents and critics ," wrote the NGO Amnesty International in a press release published on May 13. In August 2018, an Amnesty International employee was targeted by Pegasus, as were activists and journalists in Saudi Arabia, Mexico and the United Arab Emirates.
Also read Pegasus, the software that spied on phones remotely
Complaint against the Israeli Ministry of Defense
The NGO announced that it would file a complaint against the Israeli Ministry of Defense, the authority responsible for supervising NSO Group, "which ignored the mountains of evidence linking NSO Group to attacks on human rights defenders. […] As long as products like Pegasus are sold without effective oversight, the rights and safety of Amnesty International employees, journalists and dissidents around the world are at risk ." Several Israeli associations have filed similar complaints.
Without naming NSO Group, WhatsApp confirmed that the flaw was exploited by "a private company known to work with governments to install spyware on mobile phones . " "We have briefed a number of human rights organizations on this issue ," WhatsApp said. The company's actions have also been criticized by whistleblower Edward Snowden, who exposed the NSA's secret surveillance program in a conference call in late 2018. He called NSO Group "the worst of the worst actors in selling these [data] theft tools . "
The company is also the subject of another lawsuit filed in late 2018 in Israel by a close friend of journalist Jamal Khashoggi, who was murdered shortly before in the United Arab Emirates embassy in Istanbul. According to the lawsuit, Mr. Khashoggi’s phone had been put under surveillance in mid-2018, using NSO Group’s Pegasus software. At the time, the company said its software “was sold only for lawful use by governments and law enforcement agencies in the fight against crime and terrorism.”
High-level faults
The discovery of this flaw does not call into question the reliability of WhatsApp, considered very good by most computer security specialists. Especially since the Pegasus software has used, in the past, many other channels to install itself on the phones of its victims. In recent years, computer security researchers have detected several ways of doing this. These vulnerabilities have since been corrected by Apple and Google, which has not prevented the NSO group from continuing to market its software.
Difficult to detect, the security flaw in question could only be found by high-level teams. According to the Financial Times , it was exploited to install Pegasus spyware from the Israeli company NSO Group, which supplies its software to security forces in many countries around the world, including regimes with little or no democracy. According to the anti-surveillance NGO Citizen Lab, a lawyer campaigning for human rights was targeted on Sunday, May 12 by Pegasus . The program allows in particular to collect the geolocation of its target, to read their messages and emails, and to trigger the microphone and camera of their phone without their knowledge.
"NSO Group sells its products to governments known for their repeated violations of human rights, and provides them with the tools to spy on their opponents and critics ," wrote the NGO Amnesty International in a press release published on May 13. In August 2018, an Amnesty International employee was targeted by Pegasus, as were activists and journalists in Saudi Arabia, Mexico and the United Arab Emirates.
Also read Pegasus, the software that spied on phones remotely
Complaint against the Israeli Ministry of Defense
The NGO announced that it would file a complaint against the Israeli Ministry of Defense, the authority responsible for supervising NSO Group, "which ignored the mountains of evidence linking NSO Group to attacks on human rights defenders. […] As long as products like Pegasus are sold without effective oversight, the rights and safety of Amnesty International employees, journalists and dissidents around the world are at risk ." Several Israeli associations have filed similar complaints.
Without naming NSO Group, WhatsApp confirmed that the flaw was exploited by "a private company known to work with governments to install spyware on mobile phones . " "We have briefed a number of human rights organizations on this issue ," WhatsApp said. The company's actions have also been criticized by whistleblower Edward Snowden, who exposed the NSA's secret surveillance program in a conference call in late 2018. He called NSO Group "the worst of the worst actors in selling these [data] theft tools . "
The company is also the subject of another lawsuit filed in late 2018 in Israel by a close friend of journalist Jamal Khashoggi, who was murdered shortly before in the United Arab Emirates embassy in Istanbul. According to the lawsuit, Mr. Khashoggi’s phone had been put under surveillance in mid-2018, using NSO Group’s Pegasus software. At the time, the company said its software “was sold only for lawful use by governments and law enforcement agencies in the fight against crime and terrorism.”
High-level faults
The discovery of this flaw does not call into question the reliability of WhatsApp, considered very good by most computer security specialists. Especially since the Pegasus software has used, in the past, many other channels to install itself on the phones of its victims. In recent years, computer security researchers have detected several ways of doing this. These vulnerabilities have since been corrected by Apple and Google, which has not prevented the NSO group from continuing to market its software.