Infamous Israeli malware developer NSO Group is currently being sued by Facebook for using WhatsApp as its preferred attack vector. Malicious links and malware payloads are sent to targets, allowing government agencies -- including those in countries with horrendous human rights records -- to intercept communications and otherwise exploit compromised phones.
NSO has argued it can’t be sued for the things done by its customers, all of which appear to be government agencies. The company says those actions are protected by sovereign immunity. NSO insists it only sells the malware. It does not assist its customers with target acquisition or malware deployment. Documents filed by Facebook say otherwise. NSO appears to deploy malware through servers it owns or rents in the United States, suggesting it is actually more involved in its customers’ actions than it has sworn in court.
Like any business, NSO Group wants more customers. It’s not content to sell exploits to questionable governments that have used its offerings to target journalists, lawyers, activists, and dissidents. It wants to do business in the United States, where there are thousands of potential law enforcement customers.
Some details of NSO’s stateside push emerged a few years ago, when reports showed the DEA had met with NSO to discuss its offerings. Motherboard has obtained additional documents indicating NSO is courting local law enforcement as well.
NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.
"Turn your target’s smartphone into an intelligence gold mine," a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, "the North American branch of NSO Group," it says. Motherboard obtained the document and related emails through a public records act request.
"Phantom" is just US branding for NSO’s "Pegasus" -- the hacking tool sold to foreign governments that’s at the center of Facebook’s lawsuit. According to the marketing documents sent to the San Diego Police Department, Phantom turns targeted phones into a steady stream of intercepted communications. The software allows police to grab emails, text messages, contact lists, track the device’s location, and surreptitiously activate the phone’s camera and microphone. Once a phone is compromised, encryption is no longer a problem, as NSO’s sales materials point out.
Pitching a tool this powerful to the San Diego PD had a predictable response:
After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system "sounds awesome."
The PD’s statement says the department is always looking at products that could aid them in investigations. But as tempting as this one was, it was out of the PD’s price range.
In his email, Sergeant Meyer added, "we simply do not have the kind of funds to move forward on such a large scale project."
That the NSO Group is seeking US law enforcement customers isn’t a surprise. But the nation’s police agencies should try to be selective about who they purchase from. NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele. Unfortunately, this single sampling of law enforcement documents shows at least one cop shop showed interest in buying what NSO was selling, and was only held back by budgetary constraints.