WhatsApp's latest security flaw allegedly allowed governments to spy on dissidents, activists and journalists around the world. An Israeli cyber company is reportedly behind the loophole — and not for the first time.
The messaging app WhatsApp identified a security loophole that allowed attackers to install spyware on phones using the app's regular call function, The Financial Times reported earlier this week. The targeted device owner doesn't even have to take the call, the report explained, as minutes after the attacker dials "the target phone starts revealing its encrypted content."
NSO, an Israeli cybersecurity firm, is believed to be behind the exploitation of the app. The group has not denied the reports, but it said in a statement that it would investigate "any credible allegations of misuse and if necessary, take action, including shutting down the system."
A London-based human rights lawyer brought the case to light after complaining of mysterious WhatsApp calls from Swedish numbers at unusual hours of the night. The man is involved in lawsuits against NSO over the alleged use of its phone-hacking tools to spy on Canada-based Saudi dissident Omar Abdulaziz, a Qatari citizen, and a group of Mexican journalists.
Weapons like any others
The abuse of WhatsApp's loophole is just the latest of many blamed on an Israeli company, prompting the question: How is it that so many private firms from the small Middle Eastern country have managed to become such significant players in the international cyber arena.
One answer is that the development of cyber skills is a state priority. Most Israeli cybersecurity firms recruit former intelligence officers, mainly from a military unit called 8200 — considered the largest in the Israeli Defense Forces.
"It's important to understand that soldiers serving in intelligence units are gaining extremely practical training," says Amitai Ziv, senior high-tech editor at the Israeli newspaper TheMarker. "Starting from day one after their training, they are tasked with real systems to break into across the globe."
Close relations between Israel's intelligence community and the private tech scene allow army veterans to use invaluable information learned in the military and implement it in independent cybersecurity companies they later run as professionals.
Israel sees cybertechnologies as weapons for all intents and purposes, so all such exports — including those from private firms — must be approved individually by the Defense Ministry.
But while the ministry is extremely sensitive to security risks to Israel from exports, it seems to show less concern for human rights violations by potential buyers.
"It's strictly business," claims Ziv. "As long as Israel doesn't see a potential risk to its own citizens, it's likely that security authorities don't regard themselves as the moral compass of the world."
Indeed, private companies appear untroubled by moral qualms.
Although NSO maintains that its software is used to prevent terrorist attacks, infiltrate drug cartels and help rescue kidnapped children, traces of its spyware, Pegasus, have been found in countries with dubious human rights records, such as Saudi Arabia and the United Arab Emirates.
Services for hackers
News of the WhatsApp breach began to emerge when internet watchdog Citizen Lab reported that Israeli software, allegedly developed by NSO, was used to spy on the inner circle of slain journalist and Saudi dissent Jamal Khashoggi. According to the group's members, international undercover operatives then started targeting them.
Cyberdefense troops in Estonia
"We need to remember that the fact that spyware was found to be used by a dictatorial regime doesn't necessarily mean that this regime was the client who initially bought it," Ziv explains.
NSO said in reply that it "would not or could not use its technology in its own right to target any person or organization."
An investigation by Ziv put another Israeli cybersecurity company, Candiru, in the spotlight. The secretive firm has changed its name three times since 2014. It has no website, none of its estimated 120 employees have a LinkedIn profile and its phone number cannot be found in directories.
Instead of individual tools, Candiru offers its clients — strictly international, mainly from Europe — a thorough and complete cybersystem that customers can use to see exactly how many targets have been penetrated by their hacks and what information has been obtained.
Middle East Frenemies?
The WhatsApp breach has shown that Israeli products may very well end up in the hands of regimes that don't even officially recognize Israel or have any diplomatic relations with it — at least not openly, making the country's relationship with its seemingly hostile neighbors more financial than ideological.
As early as 2010, a company named Logic, owned by Israeli businessman Mati Kochavi, signed a deal with an unknown Gulf state to implement border protection technologies and turn its capital into a "smart city." Among other things, the system could trace the real-time movement of people throughout the capital.
Although Logic acquired products made by other Israeli companies, its employees oversaw the implementation of the system and trained local law enforcement personnel. This required regular flights between the two countries, which otherwise don't maintain diplomatic relations.
"Turning a capital into a smart city is at least not offensive," Ziv laughs. "Israel seems to be selling real weapons to real dictatorships. I'm much more worried about that."