Lessons from WhatsApp hack: we are all victims of global spyware industry

Net Results: Developer of Pegasus spyware says its clients are governments and state agencies

Pegasus spyware can be uploaded via WhatsApp  hack and can spy on calls and chats, and remotely control the device’s microphone and camera. Photograph: Reuters/Dado Ruvic/File

Pegasus spyware can be uploaded via WhatsApp hack and can spy on calls and chats, and remotely control the device’s microphone and camera. Photograph: Reuters/Dado Ruvic/File

 

Users of Facebook’s communications app WhatsApp were advised this week to update their software, following the discovery that a previously unknown weakness could allow their devices to be hacked.

Because of its use of encryption for calls and messaging, WhatsApp is widely promoted as a secure and privacy-protecting method of communication. It is also one of the most popular communication apps for human rights defenders and pro-democracy advocates and their supporters.

The vulnerability exists in a brief moment when one user rings another user’s phone via WhatsApp, before an encrypted connection is fully established. In that moment, spyware called Pegasus can be uploaded without a trace. Once Pegasus is inside, the device can spy on calls and chats, and the device’s microphone and camera can be remotely controlled.

Of course, all users should immediately update their software – it is idiotic to leave any device so exposed. But the evidence right now indicates Pegasus is being used quite specifically, against a UK human rights lawyer.

NSO, the developer of Pegasus, says its clients are governments and state surveillance agencies. That’s the twist in this particular hacking tale. Usually, when we hear about a potentially large-scale hack on consumer software (WhatsApp has 1.5 billion users), the exploiters are criminals aiming to gather user data.

Not this time.

This vulnerability is effectively acting as a great big moral billboard beseeching us to pay attention to one of the ugliest, least regulated sides of the technology industry: the spyware sector. And to broader governmental complicity.

Spyware is big business. You might have thought that spy agencies develop their own secret software weapons, but increasingly (as with so much else in government), this activity has been privatised. And, because the sector is ultra-secretive, commercial and global, operating across various legal jurisdictions, it is difficult to scrutinise and remains poorly regulated.

The Electronic Frontier Foundation has said governments realise that the attribution of hacks is far more difficult if the software used for the hack isn’t homegrown but comes from third parties (exactly the issue with the WhatsApp hack). Such tools are being increasingly commoditised, with the attendant risk that they will become more widely used, for wider purposes, on more of us.

A major investigation published last October by Israeli newspaper Haaretz revealed that many of these companies are Israeli, a byproduct of the country’s well-developed military tech expertise.

It added that dictators around the world – even in countries with no formal ties to Israel – are using spyware to eavesdrop on human rights activists, monitor emails, hack into apps and record conversations. The Times of Israel listed “NSO’s Trojan-horse software Pegasus” as one “well-known” tool.

Surveillance hacks

But governments are equally implicated in this expanding surveillance nightmare. A report released last week by security company Symantec notes that cyber weapons developed by the US National Security Agency (NSA) to be used for its own surveillance hacks, were leaked as early as 2016 to a Chinese hacker group, and used in its own attacks.

The group exploited the NSA’s knowledge of a vulnerability in Microsoft Windows more than a year before hacking group the Shadow Brokers made a number of the NSA’s most prized tools available online. The Shadow Brokers release enabled the launch of the devastating WannaCry and NotPetya worms, which disabled computers worldwide in 2018.

The NSA has come under fierce criticism for hoarding such vulnerabilities without informing the companies involved, thus preventing them from releasing patches early enough to prevent a catastrophe like WannaCry. And for developing hacking tools that exploit such weaknesses but were so poorly secured either internally, or by external partners, that they could be leaked – twice.

Hard to say which is worse: a barely-regulated global spyware industry that counts the most abhorrent states and agencies as valued clients? Or the governments that buy that industry’s tools, or gather sensitive data and develop cyber weapons they fail to adequately protect?

Either way, all of us are the victims.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.