On May 12, a London-based human rights lawyer received peculiar video calls on his WhatsApp account while visiting Sweden.
Concerned by receiving the calls at such odd times in the morning, he reached out to cyber specialists at U of T’s Citizen Lab to investigate.
The Citizen Lab is a multidisciplinary research institute located at the Munk School for Global Affairs and Public Policy. The lab explores issues related to cybersecurity, surveillance, and digital censorship.
The lawyer, who remains anonymous due to fears of retaliation for speaking out, suspects potential foul play given his involvement with a civil lawsuit against NSO Group, an Israeli technology firm.
Foreign governments, including Saudi Arabia, Mexico, and the United Arab Emirates, have allegedly used NSO Group’s products to spy on journalists and political dissidents, including a critic of Saudi Arabia living in Canada.
According to reports from the Financial Times, the spyware targeting the lawyer’s phone had digital characteristics typical of NSO Group products.
Citizen Lab Senior Researchers John Scott-Railton and Bill Marczak led the investigative team that discovered WhatsApp’s vulnerability.
In an interview with The Varsity, Scott-Railton said he “observed a case where it looked like there was an attempt to target that lawyer’s phone with this novel attack, which would have happened over WhatsApp through a missed call.”
By exploiting the app’s vulnerability, NSO Group’s Pegasus spyware could enter a target’s iPhone or Android device through WhatsApp’s call function. The malicious code could then extract private information such as text messages and call histories, regardless of whether a target answers the call or not. The spyware can also collect new data by turning on the device’s camera or microphone.
WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ
— Citizen Lab (@citizenlab) May 13, 2019
WhatsApp engineers worked to patch the vulnerability as quickly as possible once they became aware of the susceptibility in the software. When finished, their company urged its 1.5 billion users to update their apps.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a public statement.
The social network also informed the United States Department of Justice officials and issued a Common Vulnerabilities and Exposures notice to inform cybersecurity experts.
Scott-Railton praised WhatsApp for acting swiftly after discovering the vulnerability. “The way that WhatsApp has responded to this has been, I think, quite positive,” he said, noting how WhatsApp contacted a number of human rights organizations, which are common targets of the Pegasus spyware, before publicly announcing the security vulnerability.
According to Scott-Railton, this was an “unprecedented” move by a social media company and signals that it “felt there was something very wrong that had been done… and they didn’t like what they saw.”
It is unclear how many people were targeted or impacted by the vulnerability. However, based on WhatsApp’s comments, Scott-Railton said it seems like “there was a problem… [which was] much larger” than the attack on the human rights lawyer alone.
NSO Group promises reform
NSO Group maintains that it partners with governments to assist with law enforcement efforts and prevent criminal activity such as terrorism.
In response to reports that its software was targeting the human rights lawyer, NSO Group said that it “would not, or could not, use its technology in its own right to target any person or organization, including this individual.”
Earlier this year, NSO Group was partially acquired by the UK-based private equity fund Novalpina Capital. When Novalpina took over, it promised to reform the company in light of recent reports of suspected abuse.
When the acquisition occurred, Novalpina was hoping to “establish a new benchmark for transparency and respect for human rights in full compliance with the [United Nations] Guiding Principal,” said Stephen Peel, co-founder of the fund.
Scott-Railton believes that “if indeed this was NSO, it suggests that this public story about human rights abuse may not [match up] with other things that we’ve observed.”
A bigger picture
Citizen Lab has been involved in multiple investigations tracking companies that sell spyware. Earlier this year, Citizen Lab itself had been targeted by undercover agents — masked as “socially conscious investors” — for its research on NSO Group.
Scott-Railton believes this case points to a larger trend of companies selling spyware to target individuals. “I think in the long run, we won’t really understand the digital risks and challenges that we all face until we see cases where harm happens to individuals,” he said.
“It’s very disconcerting to someone who has WhatsApp on their phones when they hear that there’s some company out there that’s selling a technology to basically use that as a way onto their phones, without any interaction,” Scott-Railton said.
“It’s almost unpreventable.”