In 2019, The FBI Took NSO Malware For A Spin Before Deciding It Might Cause Too Many Problems In Court

31.01.2022 23:15

Techdirt

The latest disturbing revelation about Israeli malware merchant NSO Group is a bit delayed. NSO has claimed its malware can't be used to target American phone numbers which, even if true, hasn't stopped the malware from targeting Americans.

But two years before NSO's malware malfeasance made headlines around the world, the company was inside the United States, demonstrating its products for federal law enforcement. The latest revelations come via Roman Bergman and Mark Mazzetti, writing for the New York Times.

In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.

What was being tested was NSO's Pegasus -- an exploit so advanced it pretty much rendered encryption obsolete. In some cases, the exploit didn't even need the target's participation to deploy. NSO was selling zero-click malware that compromises phones entirely -- providing access to texts, photos, WhatsApp messages, cameras, mics, and whatever other data might be flowing through it. That's what the FBI was interested in.

It was also interested in something NSO had prepared especially for the FBI. Pegasus was blocked from targeting US numbers. But the FBI definitely wanted to target US phone users, so NSO whipped up a very specific product for the feds.

During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.

The presentation made it clear the FBI could target whoever it wanted and needed to seek no assistance from any US cell provider. The exploits were completely independent of US communications infrastructure… other than relying on US content servers for deployment.

But, as the New York Times reports, the FBI still had concerns. Given the malware's ability to turn a target's phone into pretty much the FBI's phone, would deployment raise Fourth Amendment concerns? Presumably, this question centered on how much could be obscured through parallel construction, rather than the FBI's genuine concern about the privacy rights of Americans. It's one thing to disguise a wardriving Stingray as a pen register order. It's quite another to attempt to explain how agents were able to access the content of encrypted communications with a normal wiretap warrant, especially if there's no cooperating witness to lean on.

As this debate proceeded, the FBI continued to pay for the product it wasn't sure it could actually use, racking up $5 million in license fees before deciding against rolling this particular constitutional dice. But in doing so, it unwittingly played a part in Facebook's lawsuit against NSO Group. Documents filed by Facebook and WhatsApp showed an NSO customer was using US-based servers to deploy malware. The assumption at that time was that NSO was enabling access to US servers so foreign governments could deliver malware to targets. Apparently what Facebook observed was the testing conducted by NSO and FBI during this trial run.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”

Five million dollars and one court exhibit later, the FBI is still finding ways to work around encryption that don't involve constitutionally-questionable phone exploits sold by a morally questionable tech company.

There are plenty of other interesting details in the New York Times article, which I definitely encourage you to click through and read. While the exploits have indeed enabled governments to take down dangerous criminals (including, apparently, notorious drug cartel leader El Chapo), the spread of malware contracts to morally questionable governments was greatly enabled by the Israeli government, which leveraged NSO and its powerful tools to obtain cooperation from countries historically resistant to forming bonds with the Israeli government. While the ends may have been somewhat admirable, the means have resulted in persistent abuse of NSO tools to target people governments don't like, rather than actual threats to themselves or their constituents.