Earlier today, WhatsApp made a startling admission. They said that someone has been using spyware to keep tabs on certain Indians. Specifically, they were watching out for journalists and human rights activists on the platform. And they may not be the only victims.
Images courtesy: Reuters
Facebook-owned WhatsApp filed a lawsuit in the US on Friday against NSO Group, an Israeli company that manufacturers spyware called Pegasus. They claimed Pegasus was used to spy on about 1,400 users across four continents. And it's important to note that they've been involved with these sorts of incidents in the past, where their software has supposedly been used against civilians.
After the lawsuit, WhatsApp confirmed to The Indian Express that some of these victims were Indian, though they refused to say how many or to reveal their identities. However they did mention they'd contacted the victims and informed them of what had transpired. "It is not an insignificant number," a WhatsApp spokesperson was quoted saying.
According to the report, the spying victims included at least two dozen scholars, lawyers, Dalit-rights activists and journalists. WhatsApp informed them that their phone numbers had been under intense scrutiny for a two-week period until May 2019.
NSO Group meanwhile has vehemently denied the allegations "In the strongest possible terms, we dispute today's allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists," they said in response to the lawsuit. "We license our product only to vetted and legitimate government agencies."?
Now there are two important things to note in that statement.
1. Though NSO Group claims Pegasus "is not designed" to spy on people illegally, that's clearly within the realm of its capabilities. In the years people have come forward to accuse them of as much, they haven't cut out those features, so that's clearly what they're selling.
2. Selling your product to only legitimate government agencies is a vague statement. North Korea's dictatorship could conceivably be called a legitimate government because there is no one to say otherwise.
This isn't even the first time NSO Group's code has been involved in a surveillance campaign. Whispers of it have emanated from spying attempts in the UAE, Mexico, Israel, Turkey, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, Bahrain, and possibly more.
In fact, NSO Group only recently severed ties with the Saudi Arabia government, after reports emerged that Pegasus had been involved in the murder of Saudi journalist and dissident Jamal Khashoggi. Supposedly, the government used Pegasus to track his movements to the consulate where he was murdered.
So clearly, though NSO Group only offers its products to governments and not "criminals", the kinds of governments they sell too apparently isn't really a sticking point with them.
Well the thing with Pegasus is that it uses methods similar to phishing. With phishing, hackers are just trying to make a convincing message you'll click on, like a fake mail from the income tax department or something similar. It's throwing a net out and seeing what catches. With spear phishing however, which is what was used here, you make a message personal to a user by incorporating details and information a random hacker wouldn't know.?
For instance, if you're a journalist critical of the government, and someone claiming to be a good friend of yours says they're running for their life and messaging you from a temporary phone, you'd probably act on it right?
It gets worse though. At least a few years ago, Pegasus required a victim to click a link in order to download onto a user's device and take control. However WhatsApp implies it's gotten more advanced, and now only needs an attacker to make a missed voice call through the app. There's not even a way for you to prevent that.
No, no it does not. For a criminal to benefit from a focused attack like spear phishing, the target has to have a lot of money at stake. They don't go after journalists and activists. That's usually the work of someone in power that doesn't want to be criticised, especially at an inconvenient time.
Well what is an inconvenient time you ask? Well how about the fact that WhatsApp stated the time period of the spying was about two weeks upto and until about May of this year. You know, round about the time people were going out to vote in the general elections from late April to early May. Is that significant? Perhaps, and perhaps not. It's throwing darts in the dark at this point. But it's certainly an interesting coincidence
Well, think about it, how much can they do? If WhatsApp's years-long claims of end-to-end encryption are indeed wholly truthful, they're already doing what they can to keep your chats private. It's still unclear if the bug allowing hackers to infect another device with Pegasus via missed call is because of WhatsApp's code flaw, Google's, or both.
But let's leave that aside, because there's another bigger problem. You see cybersecurity is only as good as the weakest link. Sometimes that's the person trying to protect themselves. Other times its a third-party system inserting itself with far too little protection.
Like the UIDAI system.
Consider this. You're constantly calling out people in high places of power in the media, so you take precautions to protect yourself from trolls. You lock your Twitter DMs, filter your social media, and don't put your personal phone numbers or addresses online. Great. Except you're forgetting that all of this is already online (including your biometric data) and with security that's reportedly been breached at least a few times, in the form of your Aadhaar registration.
When the government mandated a digital file on every citizen, that would link to both phone numbers and bank accounts and store their details online, they forced citizens to give up some major privacy. And that in turn can very easily be abused to pinpoint exactly how to target a specific person with a malware like Pegasus.
And when your phone is compromised in this way, WhatsApp's encryption doesn't do jack. It basically becomes an expensive loudspeaker pointed right at your attackers, and putting you in danger.
And the worst part is, it's not necessarily even illegal for the government to do this to you. At least 10 Indian agencies are legally allowed to do this to you. Hell, the Mumbai police have a device manufactured by an Israeli company that they specifically use to crack into locked phones on hand.
So good luck feeling secure in your home country ever again.