US court finds spyware maker NSO liable for WhatsApp hacks

A U.S. federal judge has ruled that Israeli spyware maker NSO Group violated U.S. hacking laws by using WhatsApp zero-day vulnerabilities to deploy its Pegasus spyware on at least 1,400 devices. Pegasus is marketed as surveillance software for government use but has been linked to illegal spying on journalists, activists, and officials.

WhatsApp's lawsuit, filed five years ago, accused NSO of violating the Computer Fraud and Abuse Act (CFAA) and California’s Computer Data Access and Fraud Act (CDAFA). While the court has ruled in WhatsApp’s favor, damages will be determined next year.

Court filings reveal NSO exploited WhatsApp vulnerabilities, including a zero-day called "Erised," to execute zero-click spyware attacks even after the lawsuit was initiated. WhatsApp patched its servers in 2020 to block NSO's access. NSO denies responsibility, claiming its spyware is used solely by its government clients and that it cannot access collected data.

This ruling is considered a major win for privacy, with WhatsApp and Meta emphasizing the importance of holding spyware companies accountable. NSO Group has faced sanctions and lawsuits from the U.S. Commerce Department, Apple, and others over allegations of enabling unlawful surveillance.

Read the full article