from the surprising-no-one dept
NSO Group is not having a great year. At least not on the PR front. The books may be balancing, but its indiscriminate distribution of malware/spyware to questionable governments has been raising eyebrows and blood pressure for years. Now, it’s being sued by Facebook for using WhatsApp as its preferred delivery system for malware payloads.
These payloads target criminals and national security threats. But — since NSO doesn’t care who it sells to or what they do with its powerful software — the payloads also target journalists, dissidents, activists, and attorneys. This malware can take over devices, feeding communications and phone contents to government agencies that want to keep an eye on their enemies — even when their “enemies” are just critics and people who disagree with their policies.
But the malware can be used for other reasons, too. Any powerful surveillance tool ultimately ends up being misused. Just ask the NSA. And the FBI. And now, ask NSO, as Joseph Cox has for Motherboard.
An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.
The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO’s can ultimately be abused by the humans who have access to it.
How adorable. Israel’s biggest malware merchant thinks it’s a cop shop. Even more adorably, the company more or less admits (1) this sort of thing is going to happen occasionally, and (2) there’s nothing NSO Group can do about it.
“There’s not [a] real way to protect against it. The technical people will always have access,” a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source’s account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company’s system.
This isn’t just something NSO employees can do. It’s also anything any of NSO’s customers can do. Not every target of surveillance is a government-ordained target. Give enough people access and power, and abuse will happen. It’s more surprising it’s happening at NSO, which has always portrayed itself as a blood-on-the-hands-free purveyor of powerful tools. Once it sells them, it takes no responsibility for what’s done with them.
And I agree with that point. NSO is not responsible for the acts of its customers. But it should choose better customers, considering how powerful its spyware is. As Cox explains, it’s capable of taking over even fully up-to-date devices by manipulating a number of zero-day exploits. Targets never know their devices have been compromised. In some cases, no action needs to be taken on their end, so dodging suspicious links sent via text, chat, or email isn’t even needed.
This obviously makes the software a temptation for its employees, who can use it to target whoever they want. The inevitability has occurred. And it has probably occurred more than the single instance detailed here.
As if this development wasn’t unpleasant enough, the illicit targeting happened while the NSO employee was working with one of NSO’s more unsavory customers, the United Arab Emirates. Not that the customer matters. It could have happened anywhere. But this one happened when the NSO was providing customer service for a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn’t a Muslim male.
It’s pretty tough for a company with minimal moral boundaries to expect its employees to respect the rules it has (well, let’s assume NSO has forbidden illicit use of its tools) established to minimize abuse. When you’re willing to sell spyware to monsters, you can’t really expect employees to maintain their halos.