SurveillanceWhatsApp's loophole reveals role of private companies in cyber-surveillance

Last month, WhatsApp’s latest security flaw was discovered, a flaw which allow governments to spy on dissidents, activists, and journalists. An Israeli cyber company is reportedly behind the loophole — and not for the first time.

The Financial Times quoted WhatsApp officers who said that the security loophole allowed attackers to install spyware on phones using the app’s regular call function. The targeted device owner does not have to take the call, the news report explained: minutes after the attacker dials “the target phone starts revealing its encrypted content.”

Cyber experts said that NSO, an Israeli cybersecurity firm, was likely behind the exploitation of the app’s flaw. The Israeli group has not denied the reports, but it said in a statement that it would investigate “any credible allegations of misuse and if necessary, take action, including shutting down the system.”

DW reports that a London-based human rights lawyer revealed the problem with the app after complaining of mysterious WhatsApp calls from Swedish numbers at unusual hours of the night. The man is involved in lawsuits against NSO over the alleged use of its phone-hacking tools to spy on Canada-based Saudi dissident Omar Abdulaziz, a Qatari citizen, and a group of Mexican journalists.

DW notes that the exploitation of WhatsApp’s loophole is just the latest of many blamed on an Israeli company, leading many to ask how is it that so many private firms from Israel, a small country by any measure, have managed to become such significant players in the international cyber arena.

One answer is that the development of cyber skills is a state priority. Most Israeli cybersecurity firms recruit former intelligence officers, mainly from a military unit called 8200 — considered the largest in the Israeli Defense Forces.

“It’s important to understand that soldiers serving in intelligence units are gaining extremely practical training,” Amitai Ziv, senior high-tech editor at the Israeli newspaper The Marker, told DW. “Starting from day one after their training, they are tasked with real systems to break into across the globe.”

Close relations between Israel’s intelligence community and the private tech sector allow army veterans to use invaluable skills learned in the military and use them in independent cybersecurity companies they later run as professionals.

Israel regards cybertechnologies as weapons, so all such exports — including those from private firms — must be approved individually by the Defense Ministry.

The ministry is sensitive to security risks to Israel from cyber exports, but it appears less concerned for human rights violations by potential buyers.

“It’s strictly business,” Ziv told DW. “As long as Israel doesn’t see a potential risk to its own citizens, it’s likely that security authorities don’t regard themselves as the moral compass of the world.”

NSO maintains that its software is used to prevent terrorist attacks, infiltrate drug cartels, and help rescue kidnapped children, but traces of its spyware, Pegasus, have been found in countries with bad human rights records, such as Saudi Arabia and the United Arab Emirates.

“We need to remember that the fact that spyware was found to be used by a dictatorial regime doesn’t necessarily mean that this regime was the client who initially bought it,” Ziv explains.

NSO said in reply that it “would not or could not use its technology in its own right to target any person or organization.”

DW notes that an investigation by Ziv shone light on another Israeli cybersecurity company, Candiru. The secretive firm has changed its name three times since 2014. It has no website, none of its estimated 120 employees has a LinkedIn profile, and its phone number cannot be found in directories.

Instead of individual tools, Candiru offers its clients — strictly international, mainly from Europe — a thorough and complete cybersystem which customers can use to see exactly how many targets have been penetrated by their hacks and what information has been obtained.