Amnesty sues maker of Pegasus, the spyware let in by WhatsApp zero day
Last week, Facebook’s WhatsApp whispered out a warning to update the mobile messaging app after learning that it had a vulnerability that really deserved to be shouted from the rooftops: a zero-day vulnerability that allowed hackers to silently install government spyware onto victims’ phones had been exploited in the wild.
The zero day meant that with just one call, spies could access your phone and plant spyware – specifically, the notorious Pegasus software.
Pegasus has been unleashed against Mexican political activists; targeted at the human rights-focused NGO Amnesty International in a spearphishing attack; and used against Ahmed Mansoor, a prominent human rights activist and political dissident in the United Arab Emirates who was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) after being charged with “insulting the UAE and its symbols”.
WhatsApp quickly patched the vulnerability.
Just as quickly, Amnesty International filed a lawsuit that seeks to stop the “web of surveillance” it says is enabled by NSO Group, the Israeli firm that makes Pegasus.
Last Monday, Amnesty announced that it’s taking the Israeli Ministry of Defense (MoD) to court to force it to revoke NSO Group’s export license.
Thirty members and supporters of Amnesty International Israel and others from the human rights community are alleging that NSO Group’s spyware has been used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.
Referencing the June 2018 spearphishing attack on an Amnesty staff member, Danna Ingleton, Deputy Director of Amnesty Tech, said in an affidavit that the attack was “the final straw.”
NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw.
The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.
How Pegasus flies
As Ingleton described in the affidavit, a Pegasus infection can happen in several ways. Most commonly, a target clicks on an exploit link, often sent as a text message. That triggers the download onto a mobile device.
Alternatively, NSO Group has reportedly figured out how to infect a device without user interaction. As Motherboard has reported, all it takes is a phone call to a targeted device to grant the attacker full access to its contents, without the need for the victim to click on a rigged link.
Once installed, Pegasus turns into what Citizen Lab has called a “silent, digital spy.” It can get at everything – including contacts, photos, call history and previous text messages – regardless of encryption or other protections. It also allows its operator the ability to remotely operate a device’s camera and microphone, enabling remote eavesdropping on conversations, as well as passive or active tracking of a target’s location data.
When Amnesty’s technology team analyzed the rigged link that had been sent via a WhatsApp message in the June 2018 spearphishing attack, they found that it was connected to a domain known to distribute and deploy NSO Group’s Pegasus spyware. Had the staff member clicked on the link which they did not they would have been taken to a site that would have attempted to install the spyware on their device.