Lessons from WhatsApp hack: we are all victims of global spyware industry

Net Results: Developer of Pegasus spyware says its clients are governments and state agencies

Users of Facebook’s communications app WhatsApp were advised this week to update their software, following the discovery that a previously unknown weakness could allow their devices to be hacked.

Because of its use of encryption for calls and messaging, WhatsApp is widely promoted as a secure and privacy-protecting method of communication. It is also one of the most popular communication apps for human rights defenders and pro-democracy advocates and their supporters.

The vulnerability exists in a brief moment when one user rings another user’s phone via WhatsApp, before an encrypted connection is fully established. In that moment, spyware called Pegasus can be uploaded without a trace. Once Pegasus is inside, the device can spy on calls and chats, and the device’s microphone and camera can be remotely controlled.

Of course, all users should immediately update their software – it is idiotic to leave any device so exposed. But the evidence right now indicates Pegasus is being used quite specifically, against a UK human rights lawyer.

NSO, the developer of Pegasus, says its clients are governments and state surveillance agencies. That’s the twist in this particular hacking tale. Usually, when we hear about a potentially large-scale hack on consumer software (WhatsApp has 1.5 billion users), the exploiters are criminals aiming to gather user data.

Not this time.

This vulnerability is effectively acting as a great big moral billboard beseeching us to pay attention to one of the ugliest, least regulated sides of the technology industry: the spyware sector. And to broader governmental complicity.

Spyware is big business. You might have thought that spy agencies develop their own secret software weapons, but increasingly (as with so much else in government), this activity has been privatised. And, because the sector is ultra-secretive, commercial and global, operating across various legal jurisdictions, it is difficult to scrutinise and remains poorly regulated.

The Electronic Frontier Foundation has said governments realise that the attribution of hacks is far more difficult if the software used for the hack isn't homegrown but comes from third parties (exactly the issue with the WhatsApp hack). Such tools are being increasingly commoditised, with the attendant risk that they will become more widely used, for wider purposes, on more of us.

A major investigation published last October by Israeli newspaper Haaretz revealed that many of these companies are Israeli, a byproduct of the country’s well-developed military tech expertise.

It added that dictators around the world – even in countries with no formal ties to Israel – are using spyware to eavesdrop on human rights activists, monitor emails, hack into apps and record conversations. The Times of Israel listed "NSO's Trojan-horse software Pegasus" as one "well-known" tool.

Surveillance hacks

But governments are equally implicated in this expanding surveillance nightmare. A report released last week by security company Symantec notes that cyber weapons developed by the US National Security Agency (NSA) to be used for its own surveillance hacks, were leaked as early as 2016 to a Chinese hacker group, and used in its own attacks.

The group exploited the NSA’s knowledge of a vulnerability in Microsoft Windows more than a year before hacking group the Shadow Brokers made a number of the NSA’s most prized tools available online. The Shadow Brokers release enabled the launch of the devastating WannaCry and NotPetya worms, which disabled computers worldwide in 2018.

The NSA has come under fierce criticism for hoarding such vulnerabilities without informing the companies involved, thus preventing them from releasing patches early enough to prevent a catastrophe like WannaCry. And for developing hacking tools that exploit such weaknesses but were so poorly secured either internally, or by external partners, that they could be leaked – twice.

Hard to say which is worse: a barely-regulated global spyware industry that counts the most abhorrent states and agencies as valued clients? Or the governments that buy that industry’s tools, or gather sensitive data and develop cyber weapons they fail to adequately protect?

Either way, all of us are the victims.