Don't opt out: click here to learn more about our work.

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

Lawyer has been embroiled in lawsuit against NSO Group, controversial Israeli technology firm

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

On May 12, a London-based human rights lawyer received peculiar video calls on his WhatsApp account while visiting Sweden.

Concerned by receiving the calls at such odd times in the morning, he reached out to cyber specialists at U of T’s Citizen Lab to investigate.

The Citizen Lab is a multidisciplinary research institute located at the Munk School for Global Affairs and Public Policy. The lab explores issues related to cybersecurity, surveillance, and digital censorship.

The lawyer, who remains anonymous due to fears of retaliation for speaking out, suspects potential foul play given his involvement with a civil lawsuit against NSO Group, an Israeli technology firm.

Foreign governments, including Saudi Arabia, Mexico, and the United Arab Emirates, have allegedly used NSO Group’s products to spy on journalists and political dissidents, including a critic of Saudi Arabia living in Canada.

According to reports from the Financial Times, the spyware targeting the lawyer’s phone had digital characteristics typical of NSO Group products.

Citizen Lab Senior Researchers John Scott-Railton and Bill Marczak led the investigative team that discovered WhatsApp’s vulnerability.

In an interview with The Varsity, Scott-Railton said he “observed a case where it looked like there was an attempt to target that lawyer’s phone with this novel attack, which would have happened over WhatsApp through a missed call.”

By exploiting the app’s vulnerability, NSO Group’s Pegasus spyware could enter a target’s iPhone or Android device through WhatsApp’s call function. The malicious code could then extract private information such as text messages and call histories, regardless of whether a target answers the call or not. The spyware can also collect new data by turning on the device’s camera or microphone.


WhatsApp’s response

WhatsApp engineers worked to patch the vulnerability as quickly as possible once they became aware of the susceptibility in the software. When finished, their company urged its 1.5 billion users to update their apps.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a public statement.  

The social network also informed the United States Department of Justice officials and issued a Common Vulnerabilities and Exposures notice to inform cybersecurity experts.

Scott-Railton praised WhatsApp for acting swiftly after discovering the vulnerability. “The way that WhatsApp has responded to this has been, I think, quite positive,” he said, noting how WhatsApp contacted a number of human rights organizations, which are common targets of the Pegasus spyware, before publicly announcing the security vulnerability.

According to Scott-Railton, this was an “unprecedented” move by a social media company and signals that it “felt there was something very wrong that had been done… and they didn’t like what they saw.”

It is unclear how many people were targeted or impacted by the vulnerability. However, based on WhatsApp’s comments, Scott-Railton said it seems like “there was a problem… [which was] much larger” than the attack on the human rights lawyer alone.

NSO Group promises reform

NSO Group maintains that it partners with governments to assist with law enforcement efforts and prevent criminal activity such as terrorism.

In response to reports that its software was targeting the human rights lawyer, NSO Group said that it “would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

Earlier this year, NSO Group was partially acquired by the UK-based private equity fund Novalpina Capital. When Novalpina took over, it promised to reform the company in light of recent reports of suspected abuse.  

When the acquisition occurred, Novalpina was hoping to “establish a new benchmark for transparency and respect for human rights in full compliance with the [United Nations] Guiding Principal,” said Stephen Peel, co-founder of the fund.

Scott-Railton believes that “if indeed this was NSO, it suggests that this public story about human rights abuse may not [match up] with other things that we’ve observed.”

A bigger picture

Citizen Lab has been involved in multiple investigations tracking companies that sell spyware. Earlier this year, Citizen Lab itself had been targeted by undercover agents — masked as “socially conscious investors” — for its research on NSO Group.

Scott-Railton believes this case points to a larger trend of companies selling spyware to target individuals. “I think in the long run, we won’t really understand the digital risks and challenges that we all face until we see cases where harm happens to individuals,” he said.

“It’s very disconcerting to someone who has WhatsApp on their phones when they hear that there’s some company out there that’s selling a technology to basically use that as a way onto their phones, without any interaction,” Scott-Railton said.

“It’s almost unpreventable.”

Two large phishing attacks hit U of T in June

Attacks described as “sophisticated” and “malicious”

Two large phishing attacks hit U of T in June

A large University of Toronto department became the victim of a sophisticated phishing attack on June 4 in which the scammer supposedly impersonated the department chair and asked students to buy and scan pre-scratched iTunes gift cards.

The attack was sophisticated enough that the targets were not able to detect it, as it didn’t have the mistakes or inconsistencies of a typical phishing email.

Just over two weeks later, another large phishing attack was carried out on university employees, this one described by U of T’s Information Technology Services website as “malicious.

In broken English, the attacker said that he had gained access to the victims’ webcams and had recorded videos of them watching pornographic material. He threatened to release the footage if the victims refused to pay him in Bitcoin.

U of T declined to provide further information on the attack, although Mike Wiseman, Acting Director of Information Security, told The Varsity that the attackers “were trying to obtain money by fraudulent means.” The university would not divulge how many people were involved, whether anyone had lost money or gave out sensitive information, or what direct action the school was taking in response.

“With phishing, the attacker will have motives to get something out of the phishing attack,” said Wiseman.[They] may be looking for login credentials, they may be looking for a way to collect money, and in this case they were trying to do the latter.

U of T has set up a website in order for students to be more informed about data safety and phishing attacks. Security Matters keeps a list of reported attacks on record, allows students to report on incidents, and has a calendar of events around the importance of data safety.  

Wiseman advises students to be cautious when clicking on links or giving up personal information online.

“Try to take some action in your mind before doing things like clicking these links or attachments, in order to validate what you are about to do,” he said. “I would say if you can’t validate, if you feel uncomfortable, if you feel concerned about what you’re looking at, then don’t do anything, don’t click the link, don’t take the action that the message is trying to get you to do.”