Israeli Malware Merchant's Employee Used Powerful Spyware To Snoop On A Potential Love Interest

from the surprising-no-one dept

NSO Group is not having a great year. At least not on the PR front. The books may be balancing, but its indiscriminate distribution of malware/spyware to questionable governments has been raising eyebrows and blood pressure for years. Now, it's being sued by Facebook for using WhatsApp as its preferred delivery system for malware payloads.

These payloads target criminals and national security threats. But -- since NSO doesn't care who it sells to or what they do with its powerful software -- the payloads also target journalists, dissidents, activists, and attorneys. This malware can take over devices, feeding communications and phone contents to government agencies that want to keep an eye on their enemies -- even when their "enemies" are just critics and people who disagree with their policies.

But the malware can be used for other reasons, too. Any powerful surveillance tool ultimately ends up being misused. Just ask the NSA. And the FBI. And now, ask NSO, as Joseph Cox has for Motherboard.

An employee of controversial surveillance vendor NSO Group abused access to the company's powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO's products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO's can ultimately be abused by the humans who have access to it.

How adorable. Israel's biggest malware merchant thinks it's a cop shop. Even more adorably, the company more or less admits (1) this sort of thing is going to happen occasionally, and (2) there's nothing NSO Group can do about it.

"There's not [a] real way to protect against it. The technical people will always have access," a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source's account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company's system.

This isn't just something NSO employees can do. It's also anything any of NSO's customers can do. Not every target of surveillance is a government-ordained target. Give enough people access and power, and abuse will happen. It's more surprising it's happening at NSO, which has always portrayed itself as a blood-on-the-hands-free purveyor of powerful tools. Once it sells them, it takes no responsibility for what's done with them.

And I agree with that point. NSO is not responsible for the acts of its customers. But it should choose better customers, considering how powerful its spyware is. As Cox explains, it's capable of taking over even fully up-to-date devices by manipulating a number of zero-day exploits. Targets never know their devices have been compromised. In some cases, no action needs to be taken on their end, so dodging suspicious links sent via text, chat, or email isn't even needed.

This obviously makes the software a temptation for its employees, who can use it to target whoever they want. The inevitability has occurred. And it has probably occurred more than the single instance detailed here.

As if this development wasn't unpleasant enough, the illicit targeting happened while the NSO employee was working with one of NSO's more unsavory customers, the United Arab Emirates. Not that the customer matters. It could have happened anywhere. But this one happened when the NSO was providing customer service for a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn't a Muslim male.

It's pretty tough for a company with minimal moral boundaries to expect its employees to respect the rules it has (well, let's assume NSO has forbidden illicit use of its tools) established to minimize abuse. When you're willing to sell spyware to monsters, you can't really expect employees to maintain their halos.

Filed Under: employee abuse, love interest, lovint, surveillance
Companies: nso group


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 May 2020 @ 3:45am

    "abused access to the company's powerful hacking technology to target a love interest"

    I have seen the phrase love interest used before in descriptions of similar situations and in every case, love has nothing to do with it.

    reply to this | link to this | view in chronology ]

  • icon
    Code Monkey (profile), 5 May 2020 @ 4:55am

    Ain't love grand?

    Awwww... he lervs her! How sweet.

    To the clown who abused his access to impress a chick.

    Try roses next time, you asshat.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 6 May 2020 @ 1:49am

      Re: Ain't love grand?

      "To the clown who abused his access to impress a chick."

      Actually, going by the OP, he was targeting said chick.

      "Try roses next time, you asshat."

      I somehow doubt the stalker who snuck into the phone and/or PC of a girl to snoop through her correspondence sees the need for roses as anything other than a fair warning to the nonconsenting target he's stalking.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2020 @ 5:12am

    This is stalking, not love. Yikes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2020 @ 11:09am

      Re:

      You think people don't do crazy, stupid shit based on real feelings of love? Examples, particularly related to unrequited love, and been attested for centuries.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 May 2020 @ 2:37pm

        Re: Re:

        But that's kinda the thing... Craziness is a normal part of love in some sense. For the Ancient Greeks, the idea of romantic love was a form of madness in itself. That's why we have the idea of Cupid's arrows, you're struck by them.

        Yet at some point that craziness stops being love in that sense. The Ancient Greeks also had the idea of Mania: Love to the point of obsession.

        At that point, it twists the idea of loving another person from Altruism to pure self gratification. That's unhealthy at best.

        reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 6 May 2020 @ 1:54am

        Re: Re:

        "You think people don't do crazy, stupid shit based on real feelings of love?"

        Unfortunately that same argument also serves to provide moral support for people who tend to love children a little too well.

        At some point what you have is better described in legal and/or medical terminology than in romantic prose. And that's the point where whatever the perpetrator might have felt becomes completely irrelevant.

        A stalker doesn't have "love interests". They have victims.

        reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 5 May 2020 @ 5:18am

    . . . a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn't a Muslim male.

    Whew! For a moment there I thought you were talking about the US government.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2020 @ 8:09am

    Funny how it works - be a small time script kiddy for kicks and you are a world menace. Sell it to any police including the secret police and you are a legitimate businessman and nightmare scenarios resulting from your negligence become mere shenanigans you have no responsibility for.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 5 May 2020 @ 12:02pm

    Digital hacking..

    I wont make this long..
    But installing Software onto a computer to get remote access is interesting in 1 BIG way and its the best defense. If they dont lie about it.
    READ things on your computer, but also SEND/INSTALL/Watch thru your camera/listen thru your mic, and Just about anything on your computer can be Blamed BACK to the agency they installed the Software. Because Even if they say, they didnt/cant do that, it is fully possible, that it would be PART of that programming.

    Just as a Police officer turning off his camera, to search your car.

    reply to this | link to this | view in chronology ]

  • icon
    tz1 (profile), 5 May 2020 @ 2:06pm

    Do we let everyone have guns?

    While I am generally libertarian, there are many dangerous things which any sane person would restrict the sale or distribution of at some level. If these weren't zero-days, but guns, or polonium, or some poison, would there not be calls for far stricter control? And to sanction Israel if they didn't control their companies?

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 5 May 2020 @ 4:36pm

      Re: Do we let everyone have guns?

      Problem with controlling Israel..
      USE concerns LOVE using nations that have no laws against THINGS that are legal here..
      They can goto that other country and have THEM do the work, of monitoring Persons in the USA..Anyone in the world, as other nations laws have no affect on those NOT in that country.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 6 May 2020 @ 2:05am

      Re: Do we let everyone have guns?

      "If these weren't zero-days, but guns, or polonium, or some poison, would there not be calls for far stricter control?"

      There would.

      The issue crops up when you consider the fact that the "tools" "sold" by NSO are composed of mere information, not physical controllable items.

      And there's a problem when it comes to information control. The people willing to put sanctions on the exchange and ownership of information are usually not the kind of people we want to control any information.

      "While I am generally libertarian"

      You really aren't, if you even feel inclined to advocate the use of the force of law to compel the suppression of what amounts to technical information. The direct analogy of which would be to place the knowledge of locksmithing, chemistry, computer programming, and math under a mandated government license.

      The prohibition of physical items deemed too dangerous can be enforced by simply...observing the possession or use of said physical item, in objective reality.

      The prohibition of *immaterial items" deemed too dangerous to the public, such as knowledge of encryption, computer technology, or government malfeasance requires you to go full-on soviet commissar to enforce. Go straight to 1984, do not pass go, do not collect 200$. No compromise possible.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2020 @ 4:52pm

    Garbage this company is. Why do powerful governments and law enforcement agencies turn to this company for hacking tools when they should be perfectly capable of producing programmers at this level of proficiency themselves? Something smells fishy with this, beyond the fact that this company and any government or company who patronizes it is despicable and morally bankrupt.

    Oh, sorry I forgot for a moment, this world is filled to the brim with people who are despicable trash!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2020 @ 8:08pm

    I think what that means in the legal sense is "I'm a transnational organization" if they're dealing in grey or black markets like human trafficking, bio-chem weapons, torture or anything related crimes against humanity.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.