A jury has awarded WhatsApp $167 million in punitive damages in a case against Israel-based NSO Group for exploiting a software vulnerability that allowed the hacking of thousands of users’ phones. This verdict, reached on Tuesday, marks a significant win not only for Meta-owned WhatsApp but also for privacy and security advocates who have criticized NSO and similar exploit sellers. The jury also awarded $444 million in compensatory damages.
WhatsApp sued NSO in 2019 after an attack targeted approximately 1,400 mobile phones belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. NSO, which operates on behalf of governments and law enforcement agencies globally, exploited a critical WhatsApp vulnerability to install its proprietary spyware, Pegasus, on iOS and Android devices. This clickless exploit worked by placing a call to a target’s app, infecting the device without requiring the user to answer.
WhatsApp stated, “Today’s verdict is an important step forward for privacy and security as the first victory against illegal spyware that threatens everyone’s safety and privacy.” NSO created WhatsApp accounts in 2018 and used them to exploit the critical vulnerability on phones, including those of 100 members of ‘civil society’ from 20 countries, according to research by Citizen Lab.
After discovering the attack, WhatsApp shut it down with a software update that patched the vulnerability and notified targeted users. Facebook and WhatsApp also banned NSO employees from their platforms shortly afterward.
NSO argued that it should be immune from legal action because it sold tools exclusively to licensed government intelligence and law-enforcement agencies for combating terrorism, child sex abuse, and other serious crimes. However, Tuesday’s verdict from the US District Court for the Northern District of California strongly rebuked NSO’s defense.
This case exposed NSO practices the company had long tried to conceal, including some of its source code and customer identities.
— new from Ars Technica