In September, almost four months after it first informed government agencies about the vulnerability in its service, WhatsApp informed authorities in writing that 121 Indian individuals were compromised by the NSO ‘spyware’, sources familiar with the developments said. The Indian Express could not independently verify the number, though it is learnt that the number has not changed since.
On Thursday, The Indian Express had reported that journalists and human rights activists in India were among the 1400 targets of surveillance by operators using Israeli firm NSO’s spyware Pegasus. After the Indian government sought an explanation, on Friday, WhatsApp responded to the government again and explained its lawsuit in a California court.
Meanwhile, some people reported that the vulnerability note WhatsApp filed with Cert -In (CIVN-2019-0080) on May 17 had apparently disappeared from its site for sometime.
Back in May, India’s CERT (@IndianCERT) published an advisory on the WhatsApp vulnerability allegedly exploited by NSO.
Now it’s gone.https://t.co/fY4YKNdQz5
— Raphael Satter (@razhael) November 1, 2019
However, indianexpress.com found that the page was live and the ‘overview’ of the note clearly states: “A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the affected system.” Sources in WhatsApp said since May “they (government agencies) have never asked us directly about the incident. They did not respond to our messages at the time and they have not asked for more information”.
An establishment source The Indian Express spoke to on Friday had claimed the WhatsApp response was “too technical a jargon” and the messaging platform did not reveal that “privacy of Indian users had been compromised”.
As per the Cert-In website, the nodal agency has been mandated to, among other things, “forecast and alert of cyber security incidents”, come up with “emergency measures for handling” such incidents and issue “guidelines and advisories” when needed. The homepage of the site itself lists vulnerabilities in everything from Apple’s iOS to Microsoft Windows.
Farrhad Acidwalla, founder of Cybernetiv Digital, says Cert-in usually takes newly discovered mass potential vulnerabilities seriously and update their website and push advisories for relevant parties. “They also have the same information published via their website with background, vulnerability notes, procedures, prevention, reponse, and other advisories.”
In its lawsuit filed in the Northern District of California courts on October 29 against the NSO Group Technologies Limited and Q Cyber Technologies Limited, WhatsApp had claimed that in and around April 2019 and May 2019, the “defendants used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices” for surveillance. The suit claimed since the NSO was “unable to break WhatsApp’s end-to-end encryption”, they “developed their malware in order to access messages and other communications after they were decrypted on Target Devices”.
Sources in WhatsApp said that while the vulnerability in its product was the entry point for the attack, “for an SOS malware to be affected, it needs to take advantage of multiple vulnerabilities in the phone”. “It needs a starting point, and we’ve acknowledged that in this case happened through our voice calling.”
How Pegasus infected the Target Devices
The WhatsApp lawsuit gives insight on how NSO allegedly seeded the Pegasus spyware in the target devices.
The lawsuit claims the “Defendants set up various computer infrastructure, including WhatsApp accounts and remote servers” and then “used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices”. It then “caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the “remote servers”)”.
The lawsuit claims between January 2018 and May 2019, NSO created WhatsApp accounts “using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands”. They also “leased and caused to be leased servers and internet hosting services in different countries, including the United States, in order to connect the Target Devices to a network of remote servers intended to distribute malware and relay commands to the Target Devices”. WhatsApp claimed these servers were owned by Choopa, Quadranet and Amazon Web Services, among others. “The IP address of one of the malicious servers was previously associated with subdomains used by Defendants.”
As per WhatsApp, NSO “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers”. “To avoid the technical restrictions built into WhatsApp Signaling Servers,” the lawsuit claimed, “Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings… Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.”