Documents Show NSO Group Is Pitching Its Malware To US Local Law Enforcement Agencies

from the get-in-bed-with-the-UAE,-locals dept

Infamous Israeli malware developer NSO Group is currently being sued by Facebook for using WhatsApp as its preferred attack vector. Malicious links and malware payloads are sent to targets, allowing government agencies -- including those in countries with horrendous human rights records -- to intercept communications and otherwise exploit compromised phones.

NSO has argued it can't be sued for the things done by its customers, all of which appear to be government agencies. The company says those actions are protected by sovereign immunity. NSO insists it only sells the malware. It does not assist its customers with target acquisition or malware deployment. Documents filed by Facebook say otherwise. NSO appears to deploy malware through servers it owns or rents in the United States, suggesting it is actually more involved in its customers' actions than it has sworn in court.

Like any business, NSO Group wants more customers. It's not content to sell exploits to questionable governments that have used its offerings to target journalists, lawyers, activists, and dissidents. It wants to do business in the United States, where there are thousands of potential law enforcement customers.

Some details of NSO's stateside push emerged a few years ago, when reports showed the DEA had met with NSO to discuss its offerings. Motherboard has obtained additional documents indicating NSO is courting local law enforcement as well.

NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.

[...]

"Turn your target's smartphone into an intelligence gold mine," a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, "the North American branch of NSO Group," it says. Motherboard obtained the document and related emails through a public records act request.

"Phantom" is just US branding for NSO's "Pegasus" -- the hacking tool sold to foreign governments that's at the center of Facebook's lawsuit. According to the marketing documents sent to the San Diego Police Department, Phantom turns targeted phones into a steady stream of intercepted communications. The software allows police to grab emails, text messages, contact lists, track the device's location, and surreptitiously activate the phone's camera and microphone. Once a phone is compromised, encryption is no longer a problem, as NSO's sales materials point out.

Pitching a tool this powerful to the San Diego PD had a predictable response:

After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system "sounds awesome."

The PD's statement says the department is always looking at products that could aid them in investigations. But as tempting as this one was, it was out of the PD's price range.

In his email, Sergeant Meyer added, "we simply do not have the kind of funds to move forward on such a large scale project."

That the NSO Group is seeking US law enforcement customers isn't a surprise. But the nation's police agencies should try to be selective about who they purchase from. NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele. Unfortunately, this single sampling of law enforcement documents shows at least one cop shop showed interest in buying what NSO was selling, and was only held back by budgetary constraints.

Filed Under: hacking, law enforcement, police, spyware, us
Companies: nso group


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 15 May 2020 @ 4:00pm

    Malware can be gotten rid of on your phone by doing a factory data reset.

    Resetting your phone to get rid of malware, including those placed there by law enforcement angencies, does not break any law, at least in the United States.

    This is why parental control programs for smartphones like DinnetTime and IgnoreNoMore failed.

    When kinds figured out they could do a Factory Data Reset on their phones to get rid of those parental control apps, that put an end to them right now.

    Nothing survives a Factory Data Reset

    reply to this | link to this | view in chronology ]

  • icon
    Gorshkov (profile), 15 May 2020 @ 4:53pm

    NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele.

    Why not? They'd fit right in

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 15 May 2020 @ 7:42pm

      '... still waiting for the problem you hinted at.'

      Yeah, sadly these days telling a US agency that the supplier of something they want sells to people who violate human rights like it's their favorite hobby is likely to have as much impact as telling them that said supplier is staffed by humans who drink water: '... and? They're still selling X right, what's the problem?'

      reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 15 May 2020 @ 4:55pm

    Factory reset?

    Since virtually all surveillance device (aka phone) software and hardware is proprietary, it is nearly impossible to tell just what a factory reset really does. Even the best professional security researchers have difficulty with this stuff. If you cannot prove it is not spying on you (and you can't) it is best to assume that it is spying on you.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 May 2020 @ 4:58pm

    NSO is in fact an extremely grey market with almost no legitimate uses.

    However, since a foreign country created a national emergency in out country it is now legal in very few circumstances to do business with them to get their foreign origin, self created, national emergency out of our country.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 15 May 2020 @ 5:39pm

    Privacy concerns are easy to dismiss when it's not your privacy

    Any US agency/department who buys such software should be required to install it on every single personal device of everyone in the agency/department, for a minimum of six months, before it's allowed to be considered for public use.

    If invasive surveillance is acceptable to inflict on the public it should be acceptable to inflict on those that would impose it, and if that's too high a price for them to pay then too damn bad, probably should have thought of that beforehand.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 May 2020 @ 5:42pm

    Unfortunately, even if some of these companies do not succed, eventually the market will. It's all being normalized.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 May 2020 @ 7:51pm

      Re:

      Normalizing those crimes is not likely happen to anyone alive today.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 May 2020 @ 9:27am

        Re: Re:

        Normalizing those crimes is not likely happen to anyone alive today.

        Considering Jackass McConnell (whom I'm ashamed to admit is from my state), just passed an amendment to the Patriot Act explicitly granting the government the power to snoop on the web activity of Americans without a warrant and the collective response to it was "ehh...", you might want to reconsider your viewpoint.

        Expect the beatings to continue until the pain finally reaches the masses' underutilized grey matter.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    Freda20 (profile), 16 May 2020 @ 5:00am

    Agreed

    Agreed.. normalizing it won't help in any way https://www.mybpcreditcard.us/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.