U.S. Court Delivers Verdict Against NSO Group in WhatsApp Spyware Case

December 23, 2024

WhatsApp has emerged victorious in a lawsuit against NSO Group, an Israeli surveillance firm, in a U.S. court. The case revolved around NSO Group's misuse of a vulnerability to deliver Pegasus spyware. WhatsApp's Will Cathcart hailed the ruling as a crucial triumph for privacy, underlining the importance of holding spyware firms accountable following a five-year legal struggle.

According to court documents, the lawsuit was initiated on October 29, 2019. The plaintiffs accused the defendants of exploiting WhatsApp to target around 1,400 mobile phones and devices with surveillance software. The court documents read, “defendants’ relevant software products, collectively referred to as “Pegasus,” allow defendants’ clients to use a modified version of the WhatsApp application – referred to as the “WhatsApp Installation Server,” or “WIS.” The WIS enables defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users.”

The plaintiffs alleged that the defendants' actions were in violation of the CFAA, the CDAFA, and constituted a breach of contract. The U.S. court ruled that NSO Group consistently failed to produce crucial evidence, including the Pegasus source code, and imposed sanctions, with the possibility of more severe penalties in the future. WhatsApp claimed that NSO only provided the AWS server code, not the complete codebase. Judge Hamilton criticized NSO’s failure to comply, expressing concerns about transparency.

The court found NSO Group guilty of violating WhatsApp’s terms of service by using the platform for malicious activities. WhatsApp celebrated the decision as a victory for privacy. The surveillance firm exploited a zero-day vulnerability, identified as CVE-2019-3568, in the voice calling feature of the popular instant messaging app. NSO Group continued using WhatsApp exploits, including a spyware called “Erised,” even after being sued for breaching anti-hacking laws.

The experts identified three exploits, named “Heaven,” “Eden,” and “Erised”, which were used in over 1,400 attacks attributed to NSO Group. The court filing continued, “All of these facts are undisputed, drawn principally from the corporate representative testimony of NSO’s own witnesses, which is binding on Defendants.” In May 2019, Facebook patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, which had been exploited to remotely install spyware on phones by calling the targeted device.

The spyware developed by NSO Group was employed by government organizations globally to spy on human rights groups, activists, journalists, lawyers, and dissidents. Some of the tools in its arsenal, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android), have been detected and analyzed by security experts. In March 2024, Meta won the litigation against the Israeli spyware vendor, and a U.S. Judge ordered the surveillance firm to hand over the source code for its Pegasus spyware and other products to the social media giant.

NSO Group has been asked to provide details about the complete functionality of the relevant spyware, covering the period one year before the alleged attack through one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020). Court documents filed in November revealed that NSO Group had limited control over its spyware's use by customers, contradicting the Israeli firm's previous claims. The filing suggests that the spyware vendor operated its Pegasus system, with customers only needing to provide a target number. NSO disputes these allegations, asserting its clients solely operate the system. “[NSO Group] stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.” said Gil Lanier, vice president of global communications for the Israeli firm.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.