WhatsApp Wins Legal Battle, Unveils NSO Group’s Pegasus Spyware Details
In a significant legal victory, WhatsApp has successfully persuaded a U.S. federal judge to release three court documents that shed light on the controversial Pegasus spyware developed by NSO Group. The documents, which include depositions of NSO employees, internal company records, and WhatsApp messages between NSO staff, were obtained through subpoenas as part of an ongoing lawsuit.
The lawsuit, filed by WhatsApp in 2019, accuses NSO of violating the Computer Fraud and Abuse Act and breaching WhatsApp’s terms of service. It alleges that NSO conducted cyberattacks on WhatsApp users, including journalists and human rights advocates.
One of the key revelations from the court documents is that NSO disconnected 10 government customers due to abuse of the Pegasus spyware. The documents also reveal that NSO developed a suite of hacking tools called “Hummingbird,” which included exploits named “Eden” and “Heaven.”
According to the court files, government customers paid up to $6.8 million annually for these tools, generating at least $31 million in revenue for NSO in 2019. NSO’s head of research and development stated that Pegasus was installed on “hundreds to tens of thousands” of devices.
WhatsApp argues that NSO’s customers had minimal involvement in the process, only needing to input target phone numbers, while NSO controlled the data retrieval. However, NSO maintains that its system is operated solely by clients and denies access to gathered intelligence.
The documents reveal that NSO used a “WhatsApp Installation Server” (WIS) to send malicious exploits to users. WhatsApp successfully patched its systems to defeat NSO’s “Eden” and “Heaven” exploits. A third exploit, “Erised,” was a zero-click exploit blocked by WhatsApp in May 2020.
In a notable admission, NSO acknowledged that Pegasus was used against Dubai’s Princess Haya, leading to the disconnection of 10 customers for abuse.
As WhatsApp seeks a summary judgment in the case, the details revealed in this lawsuit may have far-reaching implications for other legal actions against NSO globally. Natalia Krapiva from Access Now emphasized the significance of the information revealed and the challenges NSO now faces in presenting a defense.
The outcome of this case could set a precedent for future litigation involving spyware companies and their government clients, potentially reshaping the landscape of digital surveillance and privacy rights.