Tech

Facebook sues Israeli cybersecurity company NSO and claims it helped hack WhatsApp

Key Points
  • Facebook is suing an Israeli cybersecurity company over claims it hacked WhatsApp users earlier this year. 
  • WhatsApp confirmed the vulnerability earlier this year, but didn't name the perpetrator. 
Jaap Arriens | NurPhoto | Getty Images

Facebook is suing an Israeli cybersecurity company over claims it hacked WhatsApp users earlier this year.

In the complaint filed Tuesday, Facebook alleges that NSO Group used WhatsApp servers to spread malware to 1,400 mobile phones in an attempt to target journalists, diplomats, human rights activists, senior government officials and other parties. The lawsuit says the malware was unable to break the Facebook-owned app's encryption, and instead infected customers' phones, giving NSO access to messages after they were decrypted on the receiver's device.

Facebook also names Q Cyber, a company affiliated with NSO, as a second defendant in the case.

NSO Group said in a statement provided Thursday it disputes Facebook's allegations, "and will vigorously fight them."

"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," the company said. "Our technology is not designed or licensed for use against human rights activists and journalists. We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse."

WhatsApp confirmed the vulnerability earlier this year, but didn't name the perpetrator.

NSO used its flagship software, "Pegasus," Facebook alleges, not only to access messages sent via WhatsApp, but also messages sent on competing platforms, including Apple's iMessage, Microsoft's Skype, Telegram, WeChat and Facebook Messenger.

Facebook alleges NSO Group workers created WhatAapp accounts to send "malware components" to devices of those targeted, including by initiating calls to "secretly inject malicious code." NSO then was able to take control of the targeted individuals' smart phones, according to the suit, using computers they controlled.

WhatsApp said in a blog post Tuesday that it had contacted all 1,400 users it suspected were "impacted by this attack to directly inform them about what had happened." WhatsApp said it worked with volunteers from the Citizen Lab, an academic research group at the University of Toronto's Munk School.

"We agree with UN Special Rapporteur for Freedom of Expression David Kaye's call for a moratorium on these attacks," the post said.

WhatsApp head Will Cathcart authored a Washington Post opinion piece, also posted Tuesday, saying, "Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others."

VIDEO2:3902:39
Here's what you need to know about WhatsApp's security breach