Zero-day in WhatsApp - NSO: "Hold my beer"

In the cybersecurity world, it's rare to see such blatant disregard for court orders as in the case of NSO Group. The company not only ignored the lawsuit from Meta (then Facebook) but went on to develop additional methods of using WhatsApp to distribute Pegasus during the legal proceedings.

CVE-2019-3568: Anatomy of a breach

In May 2019, WhatsApp discovered a critical vulnerability in its VOIP implementation (CVE-2019-3568, CVSS 9.8). The buffer overflow vulnerability in the VOIP stack allowed remote code execution through specially crafted SRTCP packets. Crucially, the exploit required no user interaction - simply initiating a WhatsApp call was sufficient.

Technical details of the attack:

• Vector: SRTCP packet manipulation during VOIP call initiation
• Payload: Delivered through modified signaling packets
• Persistence: Automatic deletion of call logs after successful infection
• Scope: All WhatsApp versions prior to:
  • Android: v2.19.134
  • iOS: v2.19.51
  • Windows Phone: v2.18.348 (all three phones with this system 😃)
  • Tizen: v2.18.15

The exploit's effectiveness was impressive - NSO Group used it to infect approximately 1,400 devices, including phones belonging to Indian activists, journalists, and a British human rights lawyer.

Legal tug-of-war chronology

October 2019: The beginning

Meta files a lawsuit against NSO Group, alleging violations of the Computer Fraud and Abuse Act (CFAA) through misuse of WhatsApp's infrastructure.

July 2020: The Israeli plot twist

The Israeli government conducts an unprecedented action - seizing documents from NSO Group's offices. Official reason: protecting state secrets from potential disclosure in discovery (how convenient!). A gag order was imposed on the entire operation, effectively preventing Israeli media from reporting on the case.

March 2024: The breakthrough

A US court orders NSO Group to hand over Pegasus's source code and other trojans to WhatsApp. Interestingly, the company is exempted from disclosing its server architecture - the court concluded that WhatsApp "would be able to deduce the same information from the full functionality of the alleged spyware."

Israeli intervention: Deeper than it appears

Leaked documents from the Israeli Ministry of Justice reveal the state's much deeper involvement in the case:

Active editing of court documents:

• Removal of references suggesting Israel is an NSO client
• Modifications to legal submissions before court filing
• Hiring of US law firm Arnold & Porter (rates up to $913/hour)

Scope of secured materials:

• Complete client list, including "US customers"
• Contracts and technical documentation
• Materials related to the "Jeff Bezos phone hack" and "Khashoggi case"

Apple throws in the towel

In September 2024, Apple unexpectedly withdraws its lawsuit against NSO Group. Official justification cites:

• Evolving threat landscape in the spyware industry
• Risk of exposing critical intelligence information
• Potential compromise of iOS defense mechanisms

Technical evolution of Pegasus

Over the years, NSO Group developed three main malware installation vectors through WhatsApp:

Heaven (until late 2018):

• Exploitation of manipulated signaling packets
• Redirection to NSO-controlled relay servers

Eden (CVE-2019-3568):

• Buffer overflow exploit in VOIP stack
• Court documents from November 2024 describe using WhatsApp servers as relays

Erised (2019-2020):

The most audacious part of the story - after receiving Meta's lawsuit in October 2019, NSO, instead of ceasing attacks, developed a new zero-click vector called "Erised". Court documents show this vector was actively used at least until May 2020. Moreover, when an NSO representative was asked whether the company continues to use WhatsApp for spyware installation after this date, they declined to answer.

"Press Install" - when spying becomes child's play

November 2024 court documents revealed the shockingly simple Pegasus installation process:

1. Client (government agency) merely entered the target's phone number
2. Clicked "Install"
3. System handled everything automatically, with no interaction from the target required

Interestingly, NSO Group didn't even control which WhatsApp servers were used in the attack. Technical documents show that WhatsApp's algorithms automatically selected relay servers based on performance metrics. Worth noting that the Pegasus agent had a built-in limitation - it couldn't operate on devices located in the US or those with US phone numbers.

FBI: "Hold my badge"

November documents reveal that FBI was an NSO Group client. In December 2018, the American agency purchased a license for the system (marketed in the US as "Phantom"). The agreement included not just the system itself, but also ongoing technical support and updates. This might explain why NSO so persistently developed their tools even after being sued - they had contractual obligations to the FBI.

Current situation

The November 2024 court documents reveal a fascinating exchange regarding the AWS server. NSO Group initially claimed that the German AWS server contained "code that comprises part of the Pegasus system" - which itself sounds like an attempt to dodge a full response.

The situation became even more intriguing when it emerged that WhatsApp had already received a copy of this server's contents... from the US Department of Justice.

NSO was ordered by the court to provide the source code, but instead only sent it to WhatsApp's lawyers in Israel, citing export restrictions. Moreover, the code cannot be taken out of the country, used during testimony, shared with US technical experts, or even shown to the presiding judge. It's like saying "Here's the evidence, but you can only view it through frosted glass, wearing gloves, and you're not allowed to discuss it."

Ironically, NSO Group suggests WhatsApp should hire an Israeli technical expert to analyze the code - ignoring the fact that WhatsApp is the victim in this case. It's like telling someone who's been robbed to hire the thief's cousin to count exactly how much was stolen.

What does the future hold?

This story exemplifies modern theater of the absurd. On one side, we have a company claiming its tools are exclusively for fighting crime and terrorism, while refusing to answer whether it still exploits WhatsApp's systems. On the other side, we have governments publicly condemning cyber espionage while quietly purchasing Pegasus licenses.

The FBI buys a system that theoretically can't operate in the US. Apple withdraws its lawsuit to protect "critical intelligence information." Israel seizes evidence to prevent its use in an American court. And WhatsApp receives source code it can't export from Israel, from a company that previously hacked its systems, using code they supposedly can't show anyone.

It seems that in the world of cyber espionage, "legal" and "illegal" are concepts as fluid as the IP addresses of WhatsApp's relay servers.