Israeli Malware Merchant's Employee Used Powerful Spyware To Snoop On A Potential Love Interest
from the surprising-no-one dept
NSO Group is not having a great year. At least not on the PR front. The books may be balancing, but its indiscriminate distribution of malware/spyware to questionable governments has been raising eyebrows and blood pressure for years. Now, it's being sued by Facebook for using WhatsApp as its preferred delivery system for malware payloads.
These payloads target criminals and national security threats. But -- since NSO doesn't care who it sells to or what they do with its powerful software -- the payloads also target journalists, dissidents, activists, and attorneys. This malware can take over devices, feeding communications and phone contents to government agencies that want to keep an eye on their enemies -- even when their "enemies" are just critics and people who disagree with their policies.
But the malware can be used for other reasons, too. Any powerful surveillance tool ultimately ends up being misused. Just ask the NSA. And the FBI. And now, ask NSO, as Joseph Cox has for Motherboard.
An employee of controversial surveillance vendor NSO Group abused access to the company's powerful hacking technology to target a love interest, Motherboard has learned.
The previously unreported news is a serious abuse of NSO's products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO's can ultimately be abused by the humans who have access to it.
How adorable. Israel's biggest malware merchant thinks it's a cop shop. Even more adorably, the company more or less admits (1) this sort of thing is going to happen occasionally, and (2) there's nothing NSO Group can do about it.
"There's not [a] real way to protect against it. The technical people will always have access," a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source's account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company's system.
This isn't just something NSO employees can do. It's also anything any of NSO's customers can do. Not every target of surveillance is a government-ordained target. Give enough people access and power, and abuse will happen. It's more surprising it's happening at NSO, which has always portrayed itself as a blood-on-the-hands-free purveyor of powerful tools. Once it sells them, it takes no responsibility for what's done with them.
And I agree with that point. NSO is not responsible for the acts of its customers. But it should choose better customers, considering how powerful its spyware is. As Cox explains, it's capable of taking over even fully up-to-date devices by manipulating a number of zero-day exploits. Targets never know their devices have been compromised. In some cases, no action needs to be taken on their end, so dodging suspicious links sent via text, chat, or email isn't even needed.
This obviously makes the software a temptation for its employees, who can use it to target whoever they want. The inevitability has occurred. And it has probably occurred more than the single instance detailed here.
As if this development wasn't unpleasant enough, the illicit targeting happened while the NSO employee was working with one of NSO's more unsavory customers, the United Arab Emirates. Not that the customer matters. It could have happened anywhere. But this one happened when the NSO was providing customer service for a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn't a Muslim male.
It's pretty tough for a company with minimal moral boundaries to expect its employees to respect the rules it has (well, let's assume NSO has forbidden illicit use of its tools) established to minimize abuse. When you're willing to sell spyware to monsters, you can't really expect employees to maintain their halos.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: employee abuse, love interest, lovint, surveillance
Companies: nso group
Reader Comments
Subscribe: RSS
View by: Time | Thread
"abused access to the company's powerful hacking technology to target a love interest"
I have seen the phrase love interest used before in descriptions of similar situations and in every case, love has nothing to do with it.
[ link to this | view in chronology ]
Ain't love grand?
Awwww... he lervs her! How sweet.
To the clown who abused his access to impress a chick.
Try roses next time, you asshat.
[ link to this | view in chronology ]
Re: Ain't love grand?
"To the clown who abused his access to impress a chick."
Actually, going by the OP, he was targeting said chick.
"Try roses next time, you asshat."
I somehow doubt the stalker who snuck into the phone and/or PC of a girl to snoop through her correspondence sees the need for roses as anything other than a fair warning to the nonconsenting target he's stalking.
[ link to this | view in chronology ]
This is stalking, not love. Yikes.
[ link to this | view in chronology ]
Re:
You think people don't do crazy, stupid shit based on real feelings of love? Examples, particularly related to unrequited love, and been attested for centuries.
[ link to this | view in chronology ]
Re: Re:
But that's kinda the thing... Craziness is a normal part of love in some sense. For the Ancient Greeks, the idea of romantic love was a form of madness in itself. That's why we have the idea of Cupid's arrows, you're struck by them.
Yet at some point that craziness stops being love in that sense. The Ancient Greeks also had the idea of Mania: Love to the point of obsession.
At that point, it twists the idea of loving another person from Altruism to pure self gratification. That's unhealthy at best.
[ link to this | view in chronology ]
Re: Re:
"You think people don't do crazy, stupid shit based on real feelings of love?"
Unfortunately that same argument also serves to provide moral support for people who tend to love children a little too well.
At some point what you have is better described in legal and/or medical terminology than in romantic prose. And that's the point where whatever the perpetrator might have felt becomes completely irrelevant.
A stalker doesn't have "love interests". They have victims.
[ link to this | view in chronology ]
Whew! For a moment there I thought you were talking about the US government.
[ link to this | view in chronology ]
Re:
Substitute "Old rich white" for "Muslim"
[ link to this | view in chronology ]
Funny how it works - be a small time script kiddy for kicks and you are a world menace. Sell it to any police including the secret police and you are a legitimate businessman and nightmare scenarios resulting from your negligence become mere shenanigans you have no responsibility for.
[ link to this | view in chronology ]
Digital hacking..
I wont make this long..
But installing Software onto a computer to get remote access is interesting in 1 BIG way and its the best defense. If they dont lie about it.
READ things on your computer, but also SEND/INSTALL/Watch thru your camera/listen thru your mic, and Just about anything on your computer can be Blamed BACK to the agency they installed the Software. Because Even if they say, they didnt/cant do that, it is fully possible, that it would be PART of that programming.
Just as a Police officer turning off his camera, to search your car.
[ link to this | view in chronology ]
Do we let everyone have guns?
[ link to this | view in chronology ]
Re: Do we let everyone have guns?
Problem with controlling Israel..
USE concerns LOVE using nations that have no laws against THINGS that are legal here..
They can goto that other country and have THEM do the work, of monitoring Persons in the USA..Anyone in the world, as other nations laws have no affect on those NOT in that country.
[ link to this | view in chronology ]
Re: Do we let everyone have guns?
"If these weren't zero-days, but guns, or polonium, or some poison, would there not be calls for far stricter control?"
There would.
The issue crops up when you consider the fact that the "tools" "sold" by NSO are composed of mere information, not physical controllable items.
And there's a problem when it comes to information control. The people willing to put sanctions on the exchange and ownership of information are usually not the kind of people we want to control any information.
"While I am generally libertarian"
You really aren't, if you even feel inclined to advocate the use of the force of law to compel the suppression of what amounts to technical information. The direct analogy of which would be to place the knowledge of locksmithing, chemistry, computer programming, and math under a mandated government license.
The prohibition of physical items deemed too dangerous can be enforced by simply...observing the possession or use of said physical item, in objective reality.
The prohibition of *immaterial items" deemed too dangerous to the public, such as knowledge of encryption, computer technology, or government malfeasance requires you to go full-on soviet commissar to enforce. Go straight to 1984, do not pass go, do not collect 200$. No compromise possible.
[ link to this | view in chronology ]
Garbage this company is. Why do powerful governments and law enforcement agencies turn to this company for hacking tools when they should be perfectly capable of producing programmers at this level of proficiency themselves? Something smells fishy with this, beyond the fact that this company and any government or company who patronizes it is despicable and morally bankrupt.
Oh, sorry I forgot for a moment, this world is filled to the brim with people who are despicable trash!
[ link to this | view in chronology ]
I think what that means in the legal sense is "I'm a transnational organization" if they're dealing in grey or black markets like human trafficking, bio-chem weapons, torture or anything related crimes against humanity.
[ link to this | view in chronology ]
Re:
I also don't endorse the theory the UAE controls it in any way.
[ link to this | view in chronology ]