Why it matters: The ruling that NSO Group must hand over information regarding the “full functionality” of Pegasus is a key win for WhatsApp and other entities following this issue. Once the code is in hand, WhatsApp may be able to prove its central claim that Pegasus can intercept communications sent to and from a device.

WhatsApp has won a major legal victory in a US court over the Israeli company NSO Group, which makes a highly sophisticated cyber weapon called Pegasus. US District Judge Phyllis Hamilton has ordered NSO Group to hand over its code for Pegasus and other spyware products to WhatsApp – something the Meta-owned communication app has been seeking since 2019 when it alleged that 1,400 WhatsApp users were subject to surveillance by the spyware, which gained access to their sensitive data, including encrypted messages, over a two-week period.

Hamilton ruled that NSO Group must produce “all relevant spyware” between April 29, 2018 and May 10, 2020, a period before and after the alleged attack. Hamilton also ruled that NSO must hand over information regarding the “full functionality” of Pegasus. The company had argued that it should only be required to hand over information about Pegasus’ installation layer.

In a win for NSO, Hamilton also ruled that it does not have to provide the names of its clients or divulge information about its server architecture.

The decision no doubt caused much dismay in Israel’s defense apparatus as the code for Pegasus and its other surveillance products is a closely guarded state secret and any licenses sold to foreign governments must first be approved by the country’s Defense Ministry.

Pegasus has gained notoriety around the world for its ability to hack into supposedly secure devices. A rough explanation is that it allows its users to commandeer the device itself, gaining access to everything on it by obtaining administrative privileges. It does this through zero-click exploits, which rely on bugs in apps such as iMessage, WhatsApp, and FaceTime.

Several governments around the world have reportedly used Pegasus to target political dissidents, journalists and human rights activists. In 2021 the US blacklisted the NSO for allegedly spreading “digital tools used for repression.”

This decision will allow WhatsApp to move forward with its central legal claim: namely that Pegasus can “intercept communications sent to and from a device, including communications over iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp, and others” and that it could also be “customized for different purposes, including to intercept communications, capture screenshots, and exfiltrate browser history.” To prove the allegation, WhatsApp needed access to the full functionality of Pegasus, which Hamilton granted.

WhatsApp is not the only entity pursuing Pegasus and the secrets it might hold. Amnesty International claims that it found evidence that Pegasus has been spying on individuals since 2014. It began its own investigation after discovering Amnesty International staffer and Saudi activist, Yahya Assiri, had been targeted in 2018. Thus was born a collaborative investigation that involved more than 80 journalists from 17 media organizations in 10 countries with technical support of Amnesty International’s Security Lab.

That, though, did not appear to stop the spyware’s activities. In 2023, Citizen Lab, which is based at the University of Toronto in Canada, reported that Pegasus could affect iPhones running iOS 15 and early versions of iOS 16. The researchers warned Apple about the vulnerabilities the prior year. Cupertino fixed them, but not before researchers claimed the spyware had been deployed against human rights activists looking into the 2015 disappearance of 43 student demonstrators in Mexico. Apple went on to reportedly warn multiple Russian journalists last year that they were the targets of state-sponsored cyberattacks, most likely by Russia, after discovering that Pegasus had been installed in the iPhone of Russian journalist Galina Timchenko.

Source link