Documents Show NSO Group Is Pitching Its Malware To US Local Law Enforcement Agencies
from the get-in-bed-with-the-UAE,-locals dept
Infamous Israeli malware developer NSO Group is currently being sued by Facebook for using WhatsApp as its preferred attack vector. Malicious links and malware payloads are sent to targets, allowing government agencies -- including those in countries with horrendous human rights records -- to intercept communications and otherwise exploit compromised phones.
NSO has argued it can't be sued for the things done by its customers, all of which appear to be government agencies. The company says those actions are protected by sovereign immunity. NSO insists it only sells the malware. It does not assist its customers with target acquisition or malware deployment. Documents filed by Facebook say otherwise. NSO appears to deploy malware through servers it owns or rents in the United States, suggesting it is actually more involved in its customers' actions than it has sworn in court.
Like any business, NSO Group wants more customers. It's not content to sell exploits to questionable governments that have used its offerings to target journalists, lawyers, activists, and dissidents. It wants to do business in the United States, where there are thousands of potential law enforcement customers.
Some details of NSO's stateside push emerged a few years ago, when reports showed the DEA had met with NSO to discuss its offerings. Motherboard has obtained additional documents indicating NSO is courting local law enforcement as well.
NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.
[...]
"Turn your target's smartphone into an intelligence gold mine," a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, "the North American branch of NSO Group," it says. Motherboard obtained the document and related emails through a public records act request.
"Phantom" is just US branding for NSO's "Pegasus" -- the hacking tool sold to foreign governments that's at the center of Facebook's lawsuit. According to the marketing documents sent to the San Diego Police Department, Phantom turns targeted phones into a steady stream of intercepted communications. The software allows police to grab emails, text messages, contact lists, track the device's location, and surreptitiously activate the phone's camera and microphone. Once a phone is compromised, encryption is no longer a problem, as NSO's sales materials point out.
Pitching a tool this powerful to the San Diego PD had a predictable response:
After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system "sounds awesome."
The PD's statement says the department is always looking at products that could aid them in investigations. But as tempting as this one was, it was out of the PD's price range.
In his email, Sergeant Meyer added, "we simply do not have the kind of funds to move forward on such a large scale project."
That the NSO Group is seeking US law enforcement customers isn't a surprise. But the nation's police agencies should try to be selective about who they purchase from. NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele. Unfortunately, this single sampling of law enforcement documents shows at least one cop shop showed interest in buying what NSO was selling, and was only held back by budgetary constraints.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, law enforcement, police, spyware, us
Companies: nso group
Reader Comments
Subscribe: RSS
View by: Time | Thread
Malware can be gotten rid of on your phone by doing a factory data reset.
Resetting your phone to get rid of malware, including those placed there by law enforcement angencies, does not break any law, at least in the United States.
This is why parental control programs for smartphones like DinnetTime and IgnoreNoMore failed.
When kinds figured out they could do a Factory Data Reset on their phones to get rid of those parental control apps, that put an end to them right now.
Nothing survives a Factory Data Reset
[ link to this | view in chronology ]
Re:
Sadly, that's not true. BIOS viruses are a thing.
[ link to this | view in chronology ]
Re: Re:
Not on phones they are not.
[ link to this | view in chronology ]
Re: Re: Re:
sweet summer child
[ link to this | view in chronology ]
Re: Re: Re:
Test
[ link to this | view in chronology ]
Re: Re: Re:
https://www.bleepingcomputer.com/news/security/malware-found-in-the-firmware-of-141-low-cost-android -devices/
[ link to this | view in chronology ]
Re:
Except malware in the baseband processor, so a factory reset is not guaranteed to remove malware.
[ link to this | view in chronology ]
Re: Re:
Nothing survives a Sledge Hammer - lol
[ link to this | view in chronology ]
Why not? They'd fit right in
[ link to this | view in chronology ]
'... still waiting for the problem you hinted at.'
Yeah, sadly these days telling a US agency that the supplier of something they want sells to people who violate human rights like it's their favorite hobby is likely to have as much impact as telling them that said supplier is staffed by humans who drink water: '... and? They're still selling X right, what's the problem?'
[ link to this | view in chronology ]
Factory reset?
Since virtually all surveillance device (aka phone) software and hardware is proprietary, it is nearly impossible to tell just what a factory reset really does. Even the best professional security researchers have difficulty with this stuff. If you cannot prove it is not spying on you (and you can't) it is best to assume that it is spying on you.
[ link to this | view in chronology ]
NSO is in fact an extremely grey market with almost no legitimate uses.
However, since a foreign country created a national emergency in out country it is now legal in very few circumstances to do business with them to get their foreign origin, self created, national emergency out of our country.
[ link to this | view in chronology ]
Re:
*our country
[ link to this | view in chronology ]
Re:
Also, if the UAE is in fact in charge of it in any way it would only be as a reseller from another nation with no actual control over the servers.
[ link to this | view in chronology ]
Privacy concerns are easy to dismiss when it's not your privacy
Any US agency/department who buys such software should be required to install it on every single personal device of everyone in the agency/department, for a minimum of six months, before it's allowed to be considered for public use.
If invasive surveillance is acceptable to inflict on the public it should be acceptable to inflict on those that would impose it, and if that's too high a price for them to pay then too damn bad, probably should have thought of that beforehand.
[ link to this | view in chronology ]
Unfortunately, even if some of these companies do not succed, eventually the market will. It's all being normalized.
[ link to this | view in chronology ]
Re:
Normalizing those crimes is not likely happen to anyone alive today.
[ link to this | view in chronology ]
Re: Re:
Considering Jackass McConnell (whom I'm ashamed to admit is from my state), just passed an amendment to the Patriot Act explicitly granting the government the power to snoop on the web activity of Americans without a warrant and the collective response to it was "ehh...", you might want to reconsider your viewpoint.
Expect the beatings to continue until the pain finally reaches the masses' underutilized grey matter.
[ link to this | view in chronology ]
Re: Re: Re:
It'd be a shame if Moscow Mitch internet activity were to be made public.
[ link to this | view in chronology ]
Agreed
Agreed.. normalizing it won't help in any way https://www.mybpcreditcard.us/
[ link to this | view in chronology ]