NSO Group fails to show up in US court to contest WhatsApp spyware lawsuit, despite promising to ‘vigorously fight’ Facebook’s allegations
Facebook has won the first round of its legal battle against Israel-based NSO Group, after the surveillance software maker failed to show up in a US court.
This is according to a notice of default entered Monday in California, and reported on by Reuters. The failure by NSO to appear in the Northern District of California courtroom is surprising, considering it had promised to ‘vigorously fight’ Facebook’s allegations.
WhatsApp had filed a lawsuit against NSO in October last year. The Facebook unit alleged NSO was behind the cyberattack in 2019 that infected devices with advanced surveillance tools.
In May 2019, WhatsApp had urged all of its 1.5 billion users to update their software to fix a vulnerability that it said was being actively exploited to implant advanced surveillance tools on users’ devices.
The Facebook-owned company discovered the vulnerability earlier in May and released a fix. The Financial Times reported in May 2019 that the bug was used to implant spyware developed by NSO, citing an unnamed surveillance software maker as its source.
NSO Group is in the business of developing surveillance tools that are intended for use by governments and law enforcement agencies.
It is alleged that when attackers rang up a target’s phone, the malicious code would automatically infect the device (even if the call was not answered), WhatsApp said in a technical document on the issue.
The attack involved a buffer overflow vulnerability in WhatsApp’s voice over internet protocol (VoIP) stack that allowed remote code execution via a series of specially crafted secure real-time control protocol (SRTCP) packets, WhatsApp said in May 2019.
At the time, WhatsApp acknowledged that the vulnerability had been used to install spyware, without mentioning NSO by name.
It later filed its legal action against the Israeli company in October 2019.
At that time NSO Group told the BBC that it would fight the allegations.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” the company said in a statement to the BBC.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime,” it added.
But despite this statement of intent to fight the allegations from WhatsApp and Facebook, NSO failed to appear in court on Monday.
Reuters cited legal documents filed by WhatsApp, which revealed repeated efforts to serve NSO with legal documents, including emails to senior executives, FedEx-delivered copies to NSO board members, and even a hand-delivered copy of the lawsuit left with NSO cofounder Omri Lavie’s wife at their New Jersey home.
In a statement, WhatsApp noted that NSO had failed to show up before a judge and said it would “continue to pursue swift accountability from the courts in the US.”
NSO said in response that WhatsApp had “prematurely moved for default before properly serving NSO with the lawsuit” and that “this default notice will not stand.”
According to Reuters, a notice of default paves the way for a default judgement against NSO – which could involve injunctions and damages – but a litigator who specialises in cybersecurity issues said that was some way off.
Scott Watnik of Wilk Auslander in New York told Reuters that courts were uncomfortable with default judgements and were usually generous about overturning them when challenged.
“If NSO came forward in a timely way to vacate the default judgment, there’s a very strong chance that the court would grant such a motion,” Watnik reportedly said.
On the other hand, Watnik said he found it extraordinary that NSO was publicly commenting on a lawsuit that it said it had not been properly served in.
“I’ve never seen that before,” he said. “It’s a high risk manoeuvrer because it really cuts away at their ability to move to vacate the default judgement.”
NSO counter sues
It should be noted that NSO is also suing Facebook, but in Israel and not in the US.
In November 2019, employees at NSO had sued Facebook in a lawsuit filed in the Tel Aviv District Court. The lawsuit alleged that Facebook had unfairly blocked the private social networking accounts of NSO staff.
Last month NSO scored a legal victory against Facebook after an Israeli court ordered the later to unblock an account belonging to a NSO employee.
Another twist has been the allegation that the owner of Amazon (Jeff Bezos) had his phone hacked by officials from Saudi Arabia.
It has been speculated that Bezos’ phone had been compromised by hackers exploiting the WhatsApp flaw last year.
Do you know all about security? Try our quiz!