WhatsApp CEO takes issue with NSO's denials of iPhone Pegasus hacks

Following the discovery that the Pegasus spyware by NSO Group was being used to surveil high-level journalists, campaigners, and world leaders, NSO took steps to quieten the story. On July 23, NSO CEO Shalev Hulio claimed it couldn't control what governments ultimately did with its tools, which were allegedly intended to catch serious criminals and terrorists.

However, speaking to the Guardian, WhatsApp head Will Cathcart suggested the leaked list of more than 50,000 phone numbers believed to be people of interest of NSO clients may be genuine. Cathcart also believes it matches up to WhatsApp's own investigation in 2019, seemingly proving it has been going on for a number of years.

"The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then," according to Cathcart.

The comment was in reference to WhatsApp's 2019 investigation into attacks against its own systems and users, seemingly with Pegasus. Along with "senior government officials," targets at that time included journalists and human rights campaigners, which Cathcart believes had "no business being under surveillance in any way, shape, or form."

Cathcart's comments go against NSO Group CEO Hulio's claims that people who weren't criminals had "nothing to be afraid of" by the tool.

The WhatsApp chief also questioned NSO's insistence that the list was "exaggerated," as WhatsApp's 2019 attack saw some 1,400 users impacted over a two-week period. "That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high," said Cathcart.

According to court documents seen by The Washington Post about WhatsApp's 2019 lawsuit against NSO Group over the matter, NSO said it should be granted "sovereign immunity" since its clients were vetted government customers, and that it couldn't be sued over the actions of its clients.

NSO insisted it didn't have control over targeting, but exhibits suggested otherwise. One exhibit of internal NSO documents mentioned "The company will provide the End user with assistance in operating, managing, and configuring the System as well as resolving any Software technical issues."

Another exhibit mentions that clients should only insert the phone number of the target, with the rest "done automatically by the system, resulting in most cases with an agent installed on the target device."

A judge in the still-ongoing lawsuit ruled that NSO retained some control, allowing the suit to proceed. NSO appealed in April 2021 to the U.S. Court of Appeals for the 9th Circuit. A decision has yet to be issued.

The 2019 attack wasn't the first time that Facebook, which owns WhatsApp, has dealt with NSO Group. In 2017, the social network enquired about buying Pegasus to get more data about iOS user activity, but NSO at the time refused, citing it only sells products to a "sovereign government or government agency."

Cathcart has called on Apple to adjust its approach regarding malware, given the discovery the iPhone was successfully infiltrated numerous times by Pegasus.

"I hope that Apple will start taking that approach too. Be loud, join in. It's not enough to say, most of our users don't need to worry about this. It's not enough to say oh this is only thousands or tens of thousands of victims.'"

"If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all," Cathcart continued. "And if anyone's phone is not secured that means everyone's phone is not secure."

Apple condemned the attacks on July 19, insisting "we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."