Documents Show NSO Group Is Pitching Its Malware To US Local Law Enforcement Agencies

from the get-in-bed-with-the-UAE,-locals dept

Infamous Israeli malware developer NSO Group is currently being sued by Facebook for using WhatsApp as its preferred attack vector. Malicious links and malware payloads are sent to targets, allowing government agencies — including those in countries with horrendous human rights records — to intercept communications and otherwise exploit compromised phones.

NSO has argued it can’t be sued for the things done by its customers, all of which appear to be government agencies. The company says those actions are protected by sovereign immunity. NSO insists it only sells the malware. It does not assist its customers with target acquisition or malware deployment. Documents filed by Facebook say otherwise. NSO appears to deploy malware through servers it owns or rents in the United States, suggesting it is actually more involved in its customers’ actions than it has sworn in court.

Like any business, NSO Group wants more customers. It’s not content to sell exploits to questionable governments that have used its offerings to target journalists, lawyers, activists, and dissidents. It wants to do business in the United States, where there are thousands of potential law enforcement customers.

Some details of NSO’s stateside push emerged a few years ago, when reports showed the DEA had met with NSO to discuss its offerings. Motherboard has obtained additional documents indicating NSO is courting local law enforcement as well.

NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.


“Turn your target’s smartphone into an intelligence gold mine,” a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, “the North American branch of NSO Group,” it says. Motherboard obtained the document and related emails through a public records act request.

“Phantom” is just US branding for NSO’s “Pegasus” — the hacking tool sold to foreign governments that’s at the center of Facebook’s lawsuit. According to the marketing documents sent to the San Diego Police Department, Phantom turns targeted phones into a steady stream of intercepted communications. The software allows police to grab emails, text messages, contact lists, track the device’s location, and surreptitiously activate the phone’s camera and microphone. Once a phone is compromised, encryption is no longer a problem, as NSO’s sales materials point out.

Pitching a tool this powerful to the San Diego PD had a predictable response:

After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system “sounds awesome.”

The PD’s statement says the department is always looking at products that could aid them in investigations. But as tempting as this one was, it was out of the PD’s price range.

In his email, Sergeant Meyer added, “we simply do not have the kind of funds to move forward on such a large scale project.”

That the NSO Group is seeking US law enforcement customers isn’t a surprise. But the nation’s police agencies should try to be selective about who they purchase from. NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele. Unfortunately, this single sampling of law enforcement documents shows at least one cop shop showed interest in buying what NSO was selling, and was only held back by budgetary constraints.

Filed Under: , , , ,
Companies: nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Documents Show NSO Group Is Pitching Its Malware To US Local Law Enforcement Agencies”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Malware can be gotten rid of on your phone by doing a factory data reset.

Resetting your phone to get rid of malware, including those placed there by law enforcement angencies, does not break any law, at least in the United States.

This is why parental control programs for smartphones like DinnetTime and IgnoreNoMore failed.

When kinds figured out they could do a Factory Data Reset on their phones to get rid of those parental control apps, that put an end to them right now.

Nothing survives a Factory Data Reset

That One Guy (profile) says:

Re: '... still waiting for the problem you hinted at.'

Yeah, sadly these days telling a US agency that the supplier of something they want sells to people who violate human rights like it’s their favorite hobby is likely to have as much impact as telling them that said supplier is staffed by humans who drink water: ‘… and? They’re still selling X right, what’s the problem?’

Upstream (profile) says:

Factory reset?

Since virtually all surveillance device (aka phone) software and hardware is proprietary, it is nearly impossible to tell just what a factory reset really does. Even the best professional security researchers have difficulty with this stuff. If you cannot prove it is not spying on you (and you can’t) it is best to assume that it is spying on you.

Anonymous Coward says:

NSO is in fact an extremely grey market with almost no legitimate uses.

However, since a foreign country created a national emergency in out country it is now legal in very few circumstances to do business with them to get their foreign origin, self created, national emergency out of our country.

That One Guy (profile) says:

Privacy concerns are easy to dismiss when it's not your privacy

Any US agency/department who buys such software should be required to install it on every single personal device of everyone in the agency/department, for a minimum of six months, before it’s allowed to be considered for public use.

If invasive surveillance is acceptable to inflict on the public it should be acceptable to inflict on those that would impose it, and if that’s too high a price for them to pay then too damn bad, probably should have thought of that beforehand.

Anonymous Coward says:

Re: Re: Re:

Normalizing those crimes is not likely happen to anyone alive today.

Considering Jackass McConnell (whom I’m ashamed to admit is from my state), just passed an amendment to the Patriot Act explicitly granting the government the power to snoop on the web activity of Americans without a warrant and the collective response to it was "ehh…", you might want to reconsider your viewpoint.

Expect the beatings to continue until the pain finally reaches the masses’ underutilized grey matter.

This comment has been flagged by the community. Click here to show it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...