Hacking WhatsApp – has a line been crossed?

(Image credit: Image Credit: Endermasali / Shutterstock)

No doubt, you’ll have seen the news about WhatsApp users being targeted by a sophisticated hack a couple of weeks ago. What you may not be aware of is that it’s a result of the commercialisation of cyber weapons that private companies are developing and selling to governments – and possibly others.

You may not be overly concerned about the story – after all, the attack was targeted at specific individuals, not an entire population - and unless you’re a human rights lawyer, or a journalist, or an activist, you’re very unlikely to have been affected. And you’ve probably gone and updated WhatsApp, so you’re good, right?

There’s a bigger story behind this. WhatsApp was compromised by a ‘Buffer Overflow Vulnerability’. Without going into tedious detail, it’s suffice to say that in the cyber industry we call this a ‘Technical Exploit’ – an attacker is manipulating a flaw in the way software has been designed and using it for their own purposes. This exploit subsequently allowed an attacker to place spyware on the affected phone, giving them access to all the information on the device.

What’s unusual about this is that it’s not the work of a sophisticated intelligence agency like the NSA, CIA or MI5. The people behind this attack are alleged to be working for a company called the NSO Group – and the implications of this are concerning.

The NSO Group is a rather shadowy outfit. Jointly owned by US investment firm Francisco Partners and the UK-based private equity firm Novalpina Capital, but to all intents and purposes an Israeli company, they have been implicated in a number of cyber security incidents since being founded in 2010. The NSO Group state that they develop tools for governments, intelligence and law enforcement agencies to combat crime and terrorism. But their history is a lot murkier than that.

The NSO Group is alleged to have been the product of the 8200 Intelligence Unit, a part of the Israeli Intelligence Corps which apparently helps fund cyber security start-ups, but is essentially a military unit manned by 18-21 year old conscripts who are hand-picked to become hackers. Unit 8200 has an impressive track record in the cyber world, from been connected to the ‘Stuxnet’ computer worm which badly affected the Iranian nuclear programme in 2010 to developing the ‘Duqu 2.0’ virus in 2014, alleged to be the most sophisticated computer virus ever developed. Many of the former members of 8200 have gone on to senior positions in Silicon Valley after leaving the Israeli military. So it’s easy to draw the conclusion that it’s not just simply providing cash and guidance to new companies, but effectively helping to commercialise cyber weapons.

So why should anyone be concerned about the NSO Group and its activities? If it’s just selling these tools to friendly governments to help prevent crime and terrorist attacks, then what’s the problem?

Concerning implications

Well, for starters the Stuxnet attack was designed to physically destroy centrifuges at the uranium enrichment facility at Natanz, Iran, and whilst there may have been no danger of causing a nuclear explosion, it was serious enough to be classed as a ‘serious nuclear accident’. And whilst that attack might have been a joint US/Israeli effort, there’s no reason to believe that the knowledge gained in that attack couldn’t in future be used to develop a nuclear cyber weapon that can be sold to any government.

But if we leave the nuclear world behind, we’re still looking at the potential commercialisation of cyber weapons that previously had been the domain of the world’s top intelligence agencies. And whilst those agencies have to abide by the rule of law in whatever country they are based in, and usually have to comply with strict oversight, everything becomes a distinct shade of grey when it comes to private enterprises.

Various Israeli government, intelligence and military agencies will no doubt be closely aligned to the NSO Group – and that lends a level of plausible deniability to some of their cyber operations. For once an exploit or piece of malware has been identified there are not only people who will rush to neutralise the threat, but also those who attempt to replicate the attack. Should that happen, it’s easy for the Israeli government to deny involvement. The company implicated might subsequently disappear, but it’ll re-emerge with a new name and logo but with the same old faces to carry on as before.

There’s also the concern that cyber weapons are not monitored or controlled in the say way as physical arms are (that is to say, they’re not controlled at all). If you wanted to ship weapons to another country – or even just parts of machines that could be used to make weapons – you’re subjected to a great deal of international scrutiny. The same, though, doesn’t apply to cyber weapons and so there’s no restrictions on selling them to anyone you feel like.

So the WhatsApp exploit and associated spyware was developed and sold to – well, who knows who it was sold to? It could have been to the Israeli or US governments to assist them with tracking terrorists. It could have been sold to European law enforcement who are attempting to crack organised crime gangs. It could have been sold to intelligence agencies so they can spy on officials in other nations. It could have been sold to an oppressive regime who want to identify, monitor and subsequently deal with ‘undesirables’ like human rights activists. It could have been sold to an unscrupulous law firm who want to spy on the opposition and undermine legal cases. The only thing we do know is that it was developed and used in the wild. We need to ask the question - are we happy for these cyber weapons to be bought and sold? 

The NSO Group state that their tools are only sold to “authorised government agencies” after a “rigorous licencing and vetting process”. They also say that they “would not and could not use its technology in its own right to target any person or organisation”. But whilst ‘would not’ might be true, the ‘could not’ part is laughable – are they seriously saying that they’ve developed a tool that they themselves are unable to operate? How do they test it, or train their customers on how to use it if they cannot access it themselves?

The NSO Group identified a flaw within WhatsApp that could be exploited and used to install spyware - and make no mistake, the exploit wasn’t discovered by chance because the techies at NSO were actively looking for ways to exploit WhatsApp. Once they found the exploit they could have told the company about it and helped to protect all 1.5 billion users of the app. Instead they chose to keep their discovery secret and make a profit from it by selling the tools and the knowledge to whoever was willing to pay, and potentially putting lives at risk.

The NSO Group also slopes its shoulders when it comes to the use of their products. They say that “under no circumstances would NSO be involved in the operating or identifying of targets of its technology”, which is basically saying that once they’ve sold the tool they’re not bothered about who is targeted by it (which is the ‘guns don’t kill people, people kill people’ argument). They also say that “We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system” – which essentially means that, once sold, they’re relying on their customers to tell them if they’re abusing the technology or not. Of course, that’s going to happen, isn’t it?

You might not have been affected by this particular attack on WhatsApp users but the implications are very concerning. The next time the NSO Group – or someone similar – decides to profit from a vulnerability it discovers and sells the tools and knowledge needed to exploit that weakness, with none of the checks and balances the rest of the arms business has to go through, you might be.

Vince Warrington, CEO, Protective Intelligence
Image Credit: Endermasali / Shutterstock