Vulnerabilities, government surveillance and bans: WhatsApp and Huawei in the news

Two well-publicised issues concerning mobile phone use have emerged over the last week.

First, it was reported that WhatsApp had discovered a vulnerability that allowed users’ phones to be infected with the Pegasus spyware, surveillance software that was developed by NSO Group, an Israeli cyber intelligence company.

The spyware was designed for use on iOS and Android platforms, and can access and read text messages, track calls and harvest a variety of personal information, including passwords; phone cameras and microphones can also be activated. The latest exploits worked without even requiring the user to answer the call.

The problems came to light when the phone of a UK-based human rights lawyer was targeted in an attempt to install the spyware. The lawyer is apparently involved in legal action against NSO which has been brought by government critics in Mexico and Saudi Arabia, as well as by various human rights groups.

Facebook, which owns WhatsApp, told the FT: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can and to work with them to notify civil society.”

In response, NSO said: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual.”

However, this is not the first time that NSO Group and Pegasus have come under suspicion. Analysts at Toronto-based Citizen Lab have carried out several interesting studies into the spyware. Back in 2016 it was found being deployed to monitor the iPhones of human rights activists based in the Middle East. In that case, three separate iOS vulnerabilities, known as Trident, were identified.

In 2018 Citizen Lab published more findings on the use of Pegasus. It claimed that a total of 24 individuals were known to have been targeted: they included a colleague of award-winning journalist Javier Valdez Cárdenas, the founder of Rio Doce, a Mexican newspaper known for investigating cartels, who was assassinated near his office in May 2017. Two days later, Rio Doce’s director and a colleague began receiving infection attempts with the spyware.

The case of Omar Abdulaziz, a Saudi activist who had been given asylum in Canada, was also highlighted. A couple of months later it was claimed that Pegasus was used by the Saudi government in its surveillance of Jamal Khashoggi, the murdered Saudi journalist. Abdulaziz, whose device had been infected with the spyware, was in almost daily contact with Khashoggi.

Most recently, after the latest WhatsApp vulnerabilities came to light, it was reported that Amnesty International and other similar organisations are currently involved in a lawsuit against NSO Group: they are demanding that the Israeli government ban the company from exporting the Pegasus software altogether, due to concerns over the possible targeting and surveillance of staff and other individuals involved in human rights work.

While NSO Group denies all the allegations levelled against it, the deputy director of Amnesty’s technology division, said: “We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.”

One other issue concerning the use of Pegasus is worth mention. There is, of course, a possibility that the source code for the spyware has been sold on the Darknet. In July 2018 an ex-employee of NSO Group was accused of stealing the code for one of the company's spyware products, and trying to sell it on the Darknet for $50 million. He was able to bypass security measures which prevented employees from copying software from work devices, and he then found a potential purchaser for the stolen files on the Darknet. However, the buyer alerted NSO Group prior to the sale, leading to the arrest and dismissal of the employee.

The other story that came to light this week concerned further developments in the Huawei saga (see our last blog post). In an important announcement, Google revealed that it would comply with an Executive Order issued by Donald Trump, and would cut ties with the Chinese telecoms company. Owners of Huawei mobile phones will therefore lose access to software updates and apps, including Google Play and email services.

Within a couple of days, however, the US Department of Commerce had issued Huawei with a new licence that would allow it 90 days to maintain support for its existing products and handsets. The move was made following the realisation that telecoms providers in the US and elsewhere currently using Huawei equipment would need some breathing space and time to implement the changes.

Meanwhile, Huawei is faced with determining how it can continue to function effectively and profitably if it does not have access to the Android operating system. It is continuing to develop its own operating system, a not inconsiderable task that it has been working on since 2012. It is currently reportedly trialling its “HongMeng” platform with a view to eventually replacing Android on its smartphones.

The Chinese government has taken the US ban on Huawei products badly. Zhang Ming, China’s ambassador to the European Union, called Donald Trump’s latest order “politically motivated” and an “abuse of export-control measures”. He added: “Chinese companies’ legitimate rights and interests are being undermined, so the Chinese government will not sit idly by.”

As the trade wars between the US and China continue, there will certainly be further debates about the use of Huawei’s technology worldwide.