Skip links

Judge orders NSO to cough up Pegasus super-spyware source code

NSO Group, the Israel-based maker of super-charged snoopware Pegasus, has been ordered by a federal judge in California to share the source code for “all relevant spyware” with Meta’s WhatsApp.

The order [PDF] from Judge Phyllis Hamilton follows from WhatsApp’s 2019 lawsuit [PDF] against NSO for allegedly spying on 1,400 WhatsApp users.

The spyware maker is accused of sending carefully crafted data over the internet to select people’s phones that, via a vulnerability in the chat app’s VoIP stack, allowed malicious code to silently run on those devices, code that in turn allowed victims’ conversations and other sensitive information to be accessed remotely. NSO marketed this surveillance service to governments around the world.

Judge Hamilton’s ruling covers Pegasus and other relevant NSO spyware during the period from April 29, 2018 to May 10, 2020. And it represents a significant legal setback for NSO Group which has been fighting tooth and nail not to be held accountable for providing surveillance tools to government clients.

The court order is not a complete rout, however: The judge allowed NSO to withhold its client list and details about its server architecture.

NSO Group, which reorganized in 2022, declined to comment on the record.

During the period from January 2018 through May 2019, NSO Group allegedly created WhatsApp messaging accounts, set up a series of proxy and relay servers using cloud service providers, and used this infrastructure to send maliciously crafted network packets, via WhatsApp’s systems, to mobile devices to exploit CVE-2019-3568.

“Defendants caused their malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400 target devices,” WhatsApp’s complaint claims. “The target users included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.”

NSO Group, which faces similar legal claims brought by Apple and the Knight First Amendment Institute, recently lost its bid to have the US Supreme Court review its claim that it shares the immunity afforded to its foreign state clients. Similarly, its effort to have Apple’s lawsuit tossed was rejected in January by a federal judge.

Since WhatsApp filed its lawsuit in 2019, pressure has been mounting to curtail the sale of sophisticated spyware. The US has sanctioned commercial spyware vendors like NSO Group, Intellexa, and Cytrox. And the White House issued an executive order last year that somewhat banned government use of spyware – exceptions leave leeway for US snoops and homegrown surveillance software.

Governments elsewhere, like Poland and Spain, have been conducting inquiries into the alleged use of Pegasus spyware against political figures and journalists. Nonetheless, the commercial spyware business appears to be doing just fine. As with encryption, governments want spyware for themselves but not for others.

NSO Group has maintained that it only sells spyware to government customers for notionally lawful surveillance. “Our technology is not designed or licensed for use against human rights activists and journalists,” the outfit told The Register in 2019. “It has helped to save thousands of lives over recent years.”

The Register is unaware of which lives, if any, have been saved by Pegasus. However, Amnesty International contends that the software, among other harms, played a role in an infamous assassination. It notes that “family members of Saudi journalist Jamal Khashoggi were targeted with Pegasus software before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group.” Other media reports have indicated as much.

Donncha Ó Cearbhaill, head of the security lab at Amnesty International, hailed the court order as a step toward accountability but expressed disappointment that NSO won’t have to reveal the clients responsible for the allegedly unlawful targeting of WhatApp users.

“NSO Group says that it only sells Pegasus to authorized government customers,” Ó Cearbhaill told The Register. “Our Security Lab has documented the massive scale and breadth of the use of Pegasus against human rights defenders and journalists across the world. It is vital that targets of Pegasus find out who has purchased and deployed the spyware against them so that they can seek meaningful redress.” ®