A coalition of companies have filed an amicus brief in support of a legal case brought by WhatsApp against Israeli intelligence firm NSO Group, accusing the company of using an undisclosed vulnerability in the messaging app to hack into at least 1,400 devices, some of which were owned by journalists and human rights activists.
NSO develops and sells governments access to its Pegasus spyware, allowing its nation state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages and listen to their calls, steal their photos and files, and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia, and the United Arab Emirates.
Last year, WhatsApp found and patched a vulnerability that it said was being abused to deliver the government-grade spyware, in some cases without the victim knowing. Months later, WhatsApp sued NSO to understand more about the incident, including which of its government customers was behind the attack.
NSO has repeatedly disputed the allegations, but was unable to convince a U.S. court to drop the case earlier this year. NSO’s main legal defense is that it is afforded legal immunities because it acts on behalf of governments.
But a coalition of tech companies has sided with WhatsApp, and are now asking the court to not allow NSO to claim or be subject to immunity.
Microsoft (including its subsidiaries LinkedIn and GitHub), Google, Cisco, VMware, and the Internet Association, which represents dozens of tech giants including Amazon, Facebook, and Twitter, warned that the development of spyware and espionage tools — including hoarding the vulnerabilities used to deliver them — make ordinary people less safe and secure, and also runs the risk of these tools falling into the wrong hands.
In a blog post, Microsoft’s customer security and trust chief Tom Burt said NSO should be accountable for the tools it builds and the vulnerabilities it exploits.
“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” said Burt. “We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.”
A spokesperson for NSO did not immediately comment.