In 2019, The FBI Took NSO Malware For A Spin Before Deciding It Might Cause Too Many Problems In Court

from the every-so-often,-the-feds-get-it-right dept

The latest disturbing revelation about Israeli malware merchant NSO Group is a bit delayed. NSO has claimed its malware can’t be used to target American phone numbers which, even if true, hasn’t stopped the malware from targeting Americans.

But two years before NSO’s malware malfeasance made headlines around the world, the company was inside the United States, demonstrating its products for federal law enforcement. The latest revelations come via Roman Bergman and Mark Mazzetti, writing for the New York Times.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

What was being tested was NSO’s Pegasus — an exploit so advanced it pretty much rendered encryption obsolete. In some cases, the exploit didn’t even need the target’s participation to deploy. NSO was selling zero-click malware that compromises phones entirely — providing access to texts, photos, WhatsApp messages, cameras, mics, and whatever other data might be flowing through it. That’s what the FBI was interested in.

It was also interested in something NSO had prepared especially for the FBI. Pegasus was blocked from targeting US numbers. But the FBI definitely wanted to target US phone users, so NSO whipped up a very specific product for the feds.

During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.

The presentation made it clear the FBI could target whoever it wanted and needed to seek no assistance from any US cell provider. The exploits were completely independent of US communications infrastructure… other than relying on US content servers for deployment.

But, as the New York Times reports, the FBI still had concerns. Given the malware’s ability to turn a target’s phone into pretty much the FBI’s phone, would deployment raise Fourth Amendment concerns? Presumably, this question centered on how much could be obscured through parallel construction, rather than the FBI’s genuine concern about the privacy rights of Americans. It’s one thing to disguise a wardriving Stingray as a pen register order. It’s quite another to attempt to explain how agents were able to access the content of encrypted communications with a normal wiretap warrant, especially if there’s no cooperating witness to lean on.

As this debate proceeded, the FBI continued to pay for the product it wasn’t sure it could actually use, racking up $5 million in license fees before deciding against rolling this particular constitutional dice. But in doing so, it unwittingly played a part in Facebook’s lawsuit against NSO Group. Documents filed by Facebook and WhatsApp showed an NSO customer was using US-based servers to deploy malware. The assumption at that time was that NSO was enabling access to US servers so foreign governments could deliver malware to targets. Apparently what Facebook observed was the testing conducted by NSO and FBI during this trial run.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”

Five million dollars and one court exhibit later, the FBI is still finding ways to work around encryption that don’t involve constitutionally-questionable phone exploits sold by a morally questionable tech company.

There are plenty of other interesting details in the New York Times article, which I definitely encourage you to click through and read. While the exploits have indeed enabled governments to take down dangerous criminals (including, apparently, notorious drug cartel leader El Chapo), the spread of malware contracts to morally questionable governments was greatly enabled by the Israeli government, which leveraged NSO and its powerful tools to obtain cooperation from countries historically resistant to forming bonds with the Israeli government. While the ends may have been somewhat admirable, the means have resulted in persistent abuse of NSO tools to target people governments don’t like, rather than actual threats to themselves or their constituents.

Filed Under: , , , , , , ,
Companies: nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “In 2019, The FBI Took NSO Malware For A Spin Before Deciding It Might Cause Too Many Problems In Court”

Subscribe: RSS Leave a comment
10 Comments
ECA (profile) says:

morally questionable

HOW?
Isnt it morally responsible to get the crooks off the streets?
Or is that reprehensible?

The laws int he USA have had balance, but they have changed along with the tech used in society.
Things in the past, like talking person to person to pass messages, is almost gone.
Trying to depend on people to mess up or to Just talk about something, ISNT easy when all communication is No longer 1 on 1.
The other problem is changing LAws, esp for the corps and Super rich.

Anonymous Coward says:

Re: Mu.

Isnt it morally responsible to get the crooks off the streets?
Or is that reprehensible?

Are the means justified by the ends? If so, why not simply shoot them dead on the street? They’re crooks, right? You’ve defined them that way.

Once you take off the restraint of legal process and civil rights, what do you have left? Vengeance? It certainly won’t be justice.

Anonymous Coward says:

Re: Re: Mu.

Are the means justified by the ends?

Be careful with that question. There are many people in the US who would agree with that statement.

If so, why not simply shoot them dead on the street? They’re crooks, right? You’ve defined them that way.

I’ve said as such for years for the sole purpose of calling their bluffs. Sadly, we have cops doing exactly that today. Especially if you have the "wrong" skin color.

Once you take off the restraint of legal process and civil rights, what do you have left? Vengeance? It certainly won’t be justice.

Remember the ongoing attempts around the country to overturn Roe V. Wade? Their solution was private vigilantism with bounties paid for by the state using taxpayer money. Vengeance is exactly what they want.

Isnt it morally responsible to get the crooks off the streets?
Or is that reprehensible?

It’s reprehensible when the enforcers commit reprehensible acts to catch the reprehensible crooks. Becoming the monster you sought to destroy means that society was better off with you doing nothing. At best, society still has one monster to rid itself of: You. At worse, society now has two monsters to rid itself of: You and the Original.

Trying to depend on people to mess up or to Just talk about something, ISNT easy when all communication is No longer 1 on 1.

The prosecutors shouldn’t have been depending on people "messing up" in the first place. Nor should they be demanding that people "mess up." That level of wrong is right up there with plea bargaining and coercing confessions. At best, it convicts criminals without evidence. At worse, it condemns the innocent and vulnerable for the actions of criminals, and also encourages actively sabotaging the general public’s safety and security. In ways similar to this article. Neither is a good outcome.

The other problem is changing LAws, esp for the corps and Super rich.

Agreed. But the problem is that those individuals are the ones that will be guaranteed a loophole from your mandatory surveillance regime. If anything they will be the ones doing the spying on you.

Anonymous Coward says:

Re: Re: Re: Mu.

Super thorough. I hope this comment wins Most Insightful for this week.

The prosecutors shouldn’t have been depending on people "messing up" in the first place. Nor should they be demanding that people "mess up." That level of wrong is right up there with plea bargaining and coercing confessions. At best, it convicts criminals without evidence. At worse, it condemns the innocent and vulnerable for the actions of criminals, and also encourages actively sabotaging the general public’s safety and security. In ways similar to this article. Neither is a good outcome.

Indeed. Despite the Fourth Amendment’s protections, law enforcement today is such that people have to justify their due process and privacy rights. Unfortunately, too many people are fine with that. Instead, law enforcement should justify anything which would potentially violate people’s rights and try not to violate rights in the first place.

Bergman (profile) says:

Re: morally questionable

Two problems with that.

First, when the FBI (or other government agency) violates the Constitution, it’s a felony. Violating wiretap laws is a felony. Violating the computer fraud & abuse act is a felony. If the FBI causes 40 agents to commit 3 felonies each in order to stop 10 guys from committing 2 felonies each, then not only have they not gotten all the crooks off the street, there are now 6 times as many felons on the streets as when they started.

Second, the claim that law enforcement is losing ground due to encryption is a lie. They have more access to criminal communications now than they did at any prior time in history. Criminals have ALWAYS had the ability to keep secrets. In the old days, cops had to have guys undercover for YEARS to get at those secrets. Nowadays, they can just push buttons and get access in minutes.

What is causing them to lose ground is too much information available, coupled to a lack of training on their part. Patrol officers make poor intel analysts unless extensively retrained, and very few are retrained before being expected to analyze intel. Then they get buried under enough raw data to drown even expert intel analysts. The results are predictable.

Tanner Andrews (profile) says:

The nag msg following each techdirt article

We offer a variety of ways for our readers to support us

Pretty much none of which include something basic like “here is an address to send a check” in case the viewer is not sure he wants to trust his credit card or banking information to the internet and websites thereon.

I appreciate that the nag message (which appears to have some sort of nasty javascript component) even follows an article highlighting why one might have doubts about furnishing financial information over the web.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...