Facebook this week filed a lawsuit against a reputed spyware provider that allegedly exploited a WhatsApp vulnerability to enable smartphone hacking, and also pursued legal action against the domain hosts of multiple websites that allegedly offer tools for hacking the social network.
On Tuesday, Facebook and its encrypted messaging subsidiary WhatApp filed a complaint against NSO Group, an Israeli tech and cyber intelligence firm that has garnered a reputation for selling exploits and surveillance to governments, law enforcement agencies and private entities. NSO’s parent company Q Cyber Technologies was also named in the complaint (provided here, courtesy of The Register), which was presented to the U.S. District Court of Northern California.
Facebook is accusing the two businesses of using WhatsApp accounts and servers in unauthorized fashion to distribute malware to roughly 1,400 targeted mobile devices in April and May of 2019. Owners of these devices included human-rights advocates, journalists, political dissidents, diplomats and senior foreign government officials, including those with phone numbers based in the Kingdom of Bahrain, the United Arab Emirates and Mexico, the Menlo Park, California-based social media company asserts.
“Defendants’ malware was designed to infect the Target Devices for the purpose of conducting surveillance of specific WhatsApp users,” the complaint alleges. “Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices.”
In so doing, the defendants breached WhatsApp’s terms of service/contract, and violated the federal Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act with their actions, the plaintiffs claim. Facebook and WhatsApp are demanding a jury trial and seeking injunctive relief as well as compensatory, statutory and punitive damages.
The complaint alleges that NSO Group and Q Cyber Technologies exploited WhatsApp’s video calling system to send malware to targeted devices. Simply ringing the phones was enough to successfully inject malicious code into the memory of the devices, even if their owners never actually answered any of the calls.
The vulnerability that enabled this exploit was CVE-2019-3568, a buffer overflow flaw in the WhatsApp VOIP stack that allowed remote code execution by way of a specially crafted series of RTCP packets sent to a phone number. The critical bug was initially disclosed and patched in May, and affects earlier versions of WhatsApps for Android, Business for Android, iOS, Business for iOS, Windows Phone and Wizen.
“This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users,” WhatsApp stated in an FAQ page about the video-calling attack.
The official complaint describes the alleged exploit in more detail: “…Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code — undetected — to Target Devices over WhatsApp servers,” the complaint reads. “Defendants’ program was sophisticated, and built to exploit specific components of WhatsApp network protocols and code.”
“In order to compromise the Target Devices, Defendants routed and caused to be routed malicious code through Plaintiffs’ servers — including Signaling Servers and Relay Servers concealed within part of the normal network protocol,” the complaint continues. “WhatsApp’s Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use Plaintiffs’ servers in this manner.”
Ultimately, victims were infected with a final payload consisting of NSO Group’s remote access trojan “Pegasus,” or another RAT program developed by the defendants, the plaintiffs allege.
In a statement appearing in the UK’s The Register, the NSO Group denied any culpability. “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists,” the statement reads.
“The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue. We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse.”
But an opinion piece published in the Washington Post on Tuesday, Wall Cathcart, head of WhatsApp at Facebook, said that his company is confident of NSO’s involvement because the attackers “used servers and Internet-hosting services that were previously associated with NSO” and because certain WhatsApp accounts that were used during the attacks were also tied to NSO. “While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” Cathcart wrote.
In a separate case, Facebook on Monday reportedly sued web hosts OnlineNIC and ID Shield in the U.S. District Court of Northern California.
The two defendants host various websites, including HackingFacebook.net, m-facebook-login.com and iiinstagram.com. These sites allegedly provide tools that visitors can use to hack and phish Facebook and Instagram accounts, according to CNET, in an article detailing the lawsuit.
Facebook’s strategy in this case is to sue the defendants for copyright lawsuit, accusing them of trademark infringement and cybersquatting due to using website names using variations of the terms Facebook and Instagram (which is owned by Facebook).
Facebook said in the legal documents that the two defendants have ignored multiple takedown requests. The company is reportedly seeking $100,000 in damages for each offending domain name, which adds up to a minimum of $2 million.