On May 13, 2019, The Financial Times broke the story that a security flaw in WhatsApp, the messaging application used by 1.5 billion people, was used to exploit the digital communications of iPhone and Android phone users. Security researchers reported that spyware had been found similar to the characteristics of technology developed by the Israeli cyber surveillance company, NSO Group. One of the targets was a London-based human rights lawyer.

1. The Lawyer

The lawyer, who spoke anonymously with the media, has been involved in lawsuits alleging NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and Mexican journalists. In an article titled WhatsApp spyware attack was attempt to hack human rights data, says lawyer published in The Guardian edition of May 14, 2019, Nick Hopkins and Dan Sabbagh reported that the lawyer was suspicious he might be targeted and contacted cyber specialists with Citizen Lab at the University of Toronto, Munk School of Global Affairs. “A couple of months ago, I started to get WhatsApp video calls early in the morning at weird hours,” the lawyer said. […] “I was suspicious of them and contacted Citizen Lab. Over the weekend Citizen Lab was able to establish that there has been an attempt to target my phone using Pegasus.”

Citizen Lab passed the information on to WhatsApp which was already investigating the vulnerability and taking steps to warn human rights groups about the attack. The lawyer, maintaining a pragmatic attitude, is “concerned” but not “surprised” by the attack and warns that it’s “highly likely” there are other targets who have been hacked by the latest exploit. It is unknown how many WhatsApp users were affected. (See: Thomas Brewster. Target of WhatsApp Hack Says He Fears More Victims Are Out There. Forbes. May 14, 2019)

2. NSO Group

NSO Group, majority-owned by the London private equity firm Novalpina Capital, has been described as a cyber-arms dealer. It develops spyware that is sold to government and law enforcement agencies that allows them to take almost complete control of a targeted device. Although the spyware in this instance was allegedly created by NSO Group, it is uncertain who the attacker was. NSO Group was identified in the breaking story by The Financial Times and a WhatsApp spokesman commented: “We’re certainly not refuting any of the coverage you’ve seen.” NSO’s software, Pegasus, has the capability of extracting data from devices such as text messages, GPS location, email and browser history. It can also create new data using a phone’s microphone and camera.

NSO spyware has been deployed to hack lawyers, journalists and dissidents. Mr Addulaziz, the Saudi dissident based in Montreal, has filed a law suit in Israel claiming that NSO software was used to target his phone around the time he was in contact with journalist Jamal Khashoggi. Khashoggi, a columnist for The Washington Post, is believed to have been killed and dismembered at the Saudi consulate in Istanbul on October 2, 2018, although the Saudi government continues to deny involvement. (See: David D. Kirkpatrick. Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit says. The New York Times. December 2, 2018)

3. Zero-Click Attack

The malware was able to penetrate targeted devices by simply placing a WhatsApp voice call. In an article titled 9 things you need to know about the WhatsApp zero-click spyware attack posted to Fast Company on May 14, 2019, Michael Grothaus described it this way:

“What’s notable about the WhatsApp attack is that it was a ‘zero-click’ or ‘no-click’ attack. That means the spyware was able to be installed on a smartphone by the attacker simply placing a WhatsApp voice call to the phone. It does not matter if the call was answered or not – a target did not have to open any message, answer the call, or click on any link. After the call was placed and the spyware installed on the device, the log of the call would be deleted so the phone’s owner may have never seen that a call attempt was made in the first place.”

A senior researcher at Citizen Lab, John Scott-Railton, described the hack as a scary vulnerability. “There’s nothing a user could have done here, short of not having the app,” he said. (See: Frank Bajak and Raphael Satter. WhatsApp Discovered Malware That Infects Phones With a Missed Call. TIME. May 14, 2019)

4. The Fix

Facebook discovered the flaw earlier in May, alerted U.S. law enforcement and, by May 10, 2019, patched the exploit. Although the vulnerability was fixed by closing the hole in WhatApp’s infrastructure, the company released an update on May 13, 2019, urging all users to upgrade to the latest version. The affected versions include WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp for Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Voice Over Internet Protocol (VOIP), commonly called phone service over the internet, has been around for years. WhatsApp, for example, was founded in 2009. You may think any vulnerabilities would have surfaced by now. But VOIP applications have to acknowledge incoming calls whether the recipient answers or not – irrespective of end-to-end encryption. If you are a lawyer, or work in other sensitive areas where confidentiality is critical, or just a vigilant user who values privacy, and you use WhatsApp, you should immediately check for and download updates for your device. Otherwise, uninstalling WhatsApp is the only protection.

5. Conclusion

The NSO Group has denied involvement in identifying targets or in the operation of its technology. The company told the The Financial Times that its products are sold to governments and only operated by intelligence and law enforcement agencies. It could not use its technology in its own right to target any individual. However, its spyware has been found on the iPhones of journalists and dissidents, and the company has been on a public relations campaign to bolster its value to law enforcement citing instances where its products were used to capture drug kingpins and stop terrorist attacks. The phone of the elusive Joaquin Guzman, known as El Chapo, was hacked using NSO software.

“NSO and Novalpina have spent several months telling the world that there are adults in the room and telegraphing that they have made a commitment to close oversight,” said Mr Scott-Railton of Citizen Lab. “Yet even 24 hours ago, we observed what some believe to be an NSO infection attempt against a human rights lawyer. As this case makes it very clear – if indeed this was NSO – there is still a very serious abuse problem.” (See: Nicole Perlroth and Ronen Bergman. WhatsApp Rushes to Fix Security Flaw Exposed in Hacking of Lawyer’s Phone. The New York Times. May 13, 2019)