In 2019, The FBI Took NSO Malware For A Spin Before Deciding It Might Cause Too Many Problems In Court
from the every-so-often,-the-feds-get-it-right dept
The latest disturbing revelation about Israeli malware merchant NSO Group is a bit delayed. NSO has claimed its malware can't be used to target American phone numbers which, even if true, hasn't stopped the malware from targeting Americans.
But two years before NSO's malware malfeasance made headlines around the world, the company was inside the United States, demonstrating its products for federal law enforcement. The latest revelations come via Roman Bergman and Mark Mazzetti, writing for the New York Times.
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the world’s most notorious maker of spyware. Then, with their equipment in place, they began testing.
What was being tested was NSO's Pegasus -- an exploit so advanced it pretty much rendered encryption obsolete. In some cases, the exploit didn't even need the target's participation to deploy. NSO was selling zero-click malware that compromises phones entirely -- providing access to texts, photos, WhatsApp messages, cameras, mics, and whatever other data might be flowing through it. That's what the FBI was interested in.
It was also interested in something NSO had prepared especially for the FBI. Pegasus was blocked from targeting US numbers. But the FBI definitely wanted to target US phone users, so NSO whipped up a very specific product for the feds.
During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target. Israel had granted a special license to NSO, one that permitted its Phantom system to attack U.S. numbers. The license allowed for only one type of client: U.S. government agencies.
The presentation made it clear the FBI could target whoever it wanted and needed to seek no assistance from any US cell provider. The exploits were completely independent of US communications infrastructure… other than relying on US content servers for deployment.
But, as the New York Times reports, the FBI still had concerns. Given the malware's ability to turn a target's phone into pretty much the FBI's phone, would deployment raise Fourth Amendment concerns? Presumably, this question centered on how much could be obscured through parallel construction, rather than the FBI's genuine concern about the privacy rights of Americans. It's one thing to disguise a wardriving Stingray as a pen register order. It's quite another to attempt to explain how agents were able to access the content of encrypted communications with a normal wiretap warrant, especially if there's no cooperating witness to lean on.
As this debate proceeded, the FBI continued to pay for the product it wasn't sure it could actually use, racking up $5 million in license fees before deciding against rolling this particular constitutional dice. But in doing so, it unwittingly played a part in Facebook's lawsuit against NSO Group. Documents filed by Facebook and WhatsApp showed an NSO customer was using US-based servers to deploy malware. The assumption at that time was that NSO was enabling access to US servers so foreign governments could deliver malware to targets. Apparently what Facebook observed was the testing conducted by NSO and FBI during this trial run.
When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.
But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”
Five million dollars and one court exhibit later, the FBI is still finding ways to work around encryption that don't involve constitutionally-questionable phone exploits sold by a morally questionable tech company.
There are plenty of other interesting details in the New York Times article, which I definitely encourage you to click through and read. While the exploits have indeed enabled governments to take down dangerous criminals (including, apparently, notorious drug cartel leader El Chapo), the spread of malware contracts to morally questionable governments was greatly enabled by the Israeli government, which leveraged NSO and its powerful tools to obtain cooperation from countries historically resistant to forming bonds with the Israeli government. While the ends may have been somewhat admirable, the means have resulted in persistent abuse of NSO tools to target people governments don't like, rather than actual threats to themselves or their constituents.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, doj, fbi, israel, malware, pegasus, phantom, surveillance
Companies: nso group
Reader Comments
Subscribe: RSS
View by: Time | Thread
I thought that NSO was selling only to authoritarian governments! Oh, wait...
[ link to this | view in chronology ]
morally questionable
HOW?
Isnt it morally responsible to get the crooks off the streets?
Or is that reprehensible?
The laws int he USA have had balance, but they have changed along with the tech used in society.
Things in the past, like talking person to person to pass messages, is almost gone.
Trying to depend on people to mess up or to Just talk about something, ISNT easy when all communication is No longer 1 on 1.
The other problem is changing LAws, esp for the corps and Super rich.
[ link to this | view in chronology ]
Mu.
Are the means justified by the ends? If so, why not simply shoot them dead on the street? They're crooks, right? You've defined them that way.
Once you take off the restraint of legal process and civil rights, what do you have left? Vengeance? It certainly won't be justice.
[ link to this | view in chronology ]
Re: Mu.
Be careful with that question. There are many people in the US who would agree with that statement.
I've said as such for years for the sole purpose of calling their bluffs. Sadly, we have cops doing exactly that today. Especially if you have the "wrong" skin color.
Remember the ongoing attempts around the country to overturn Roe V. Wade? Their solution was private vigilantism with bounties paid for by the state using taxpayer money. Vengeance is exactly what they want.
It's reprehensible when the enforcers commit reprehensible acts to catch the reprehensible crooks. Becoming the monster you sought to destroy means that society was better off with you doing nothing. At best, society still has one monster to rid itself of: You. At worse, society now has two monsters to rid itself of: You and the Original.
The prosecutors shouldn't have been depending on people "messing up" in the first place. Nor should they be demanding that people "mess up." That level of wrong is right up there with plea bargaining and coercing confessions. At best, it convicts criminals without evidence. At worse, it condemns the innocent and vulnerable for the actions of criminals, and also encourages actively sabotaging the general public's safety and security. In ways similar to this article. Neither is a good outcome.
Agreed. But the problem is that those individuals are the ones that will be guaranteed a loophole from your mandatory surveillance regime. If anything they will be the ones doing the spying on you.
[ link to this | view in chronology ]
Re: Re: Mu.
Super thorough. I hope this comment wins Most Insightful for this week.
Indeed. Despite the Fourth Amendment's protections, law enforcement today is such that people have to justify their due process and privacy rights. Unfortunately, too many people are fine with that. Instead, law enforcement should justify anything which would potentially violate people's rights and try not to violate rights in the first place.
[ link to this | view in chronology ]
"this comment" meaning "your comment"
Previous commenter here. Talk about terrible word choice. I meant "I hope the comment of the AC I quoted wins Most Insightful for this week."
[ link to this | view in chronology ]
Re: Re: Mu.
Haven't police (this is all about investigation, not prosecution) always relied on people messing up? A criminal who makes no mistakes is extremely difficult to catch.
[ link to this | view in chronology ]
Re: morally questionable
Two problems with that.
First, when the FBI (or other government agency) violates the Constitution, it’s a felony. Violating wiretap laws is a felony. Violating the computer fraud & abuse act is a felony. If the FBI causes 40 agents to commit 3 felonies each in order to stop 10 guys from committing 2 felonies each, then not only have they not gotten all the crooks off the street, there are now 6 times as many felons on the streets as when they started.
Second, the claim that law enforcement is losing ground due to encryption is a lie. They have more access to criminal communications now than they did at any prior time in history. Criminals have ALWAYS had the ability to keep secrets. In the old days, cops had to have guys undercover for YEARS to get at those secrets. Nowadays, they can just push buttons and get access in minutes.
What is causing them to lose ground is too much information available, coupled to a lack of training on their part. Patrol officers make poor intel analysts unless extensively retrained, and very few are retrained before being expected to analyze intel. Then they get buried under enough raw data to drown even expert intel analysts. The results are predictable.
[ link to this | view in chronology ]
O_O
Consider...
They agency that ran a kiddie porn website, providing new images to perverts & hacking computers globally...
Looked at NSO & said... nah thats to far.
O_O
[ link to this | view in chronology ]
The nag msg following each techdirt article
Pretty much none of which include something basic like ``here is an address to send a check'' in case the viewer is not sure he wants to trust his credit card or banking information to the internet and websites thereon.
I appreciate that the nag message (which appears to have some sort of nasty javascript component) even follows an article highlighting why one might have doubts about furnishing financial information over the web.
[ link to this | view in chronology ]