The human rights lawyer at the center of the WhatsApp security breach said it “doesn’t come as a surprise” that the same spyware whose use he is suing against was allegedly used on him.
Facebook, which owns the messaging app used by 1.5 billion users, admitted a vulnerability late Monday after it was initially reported by the Financial Times. The breach, which exploited a vulnerability in WhatsApp that would allow a hacker to access all of the contents of a user’s phone including messages, photos, and its operating system, comes at a vulnerable time for the parent company.
WhatsApp, which boasts end-to-end encryption, is the crown jewel of privacy and security in the Facebook ecosystem, which is working to combine all of its messaging apps under the banner of a company that prioritizes privacy amid several scandals.(MORE: Facebook, Apple, Twitter, and LinkedIn face investigations for violating European privacy laws)
The victim of the WhatsApp security breach is a London-based human rights lawyer, who spoke on the condition that his name not be revealed for security reasons. He told ABC News he recently noticed suspicious activity on this mobile phone.
“Several weeks ago I started receiving WhatsApp video calls early in the morning,” the lawyer told ABC News. “These would ring for a few seconds and then that’s it. Missed calls. I was suspicious of these calls.”
The calls originated in Sweden.
He then contacted Citizen Lab, a research center at the Munk School of Global Affairs at the University of Toronto, which has previously investigated the use of spyware created by the Israel-based NSO Group, which has been accused of supplying tools for regimes hack the phones of dissidents, human-rights activists, and journalists.
The lawyer is on the team representing several of these activists and journalists who are suing NSO, claiming the company’s tracking software, Pegasus, was used to infiltrate the devices of dissidents including Omar Abdulaziz, a Saudi in Canada who claims his WhatsApp messages with his friend, the murdered Washington Post journalist Jamal Khashoggi, were accessed by hackers using Pegasus.
“NSO operates according to the law and adheres to a clear ethical policy that is meant to prevent misuse of its technology,” NSO told ABC News in a statement. “NSO only licenses its technology to approved government intelligence and law enforcement agencies for the sole purpose of preventing and fighting crime and terror, according to clear definitions.”
“In an age when terrorists and criminals hide behind sophisticated technologies, our products have helped stop human traffickers and crime and terror organizations and save the lives of thousands of people around the world,” the statement continued.
“Omar Abdulaziz’s suit makes a number of false claims about our technology, which is designed to prevent and investigate terror and crime,” the company previously said about Abdulaziz.
Citizen Lab started an investigation.
“As part of this investigation they contacted WhatsApp and reached a conclusion that its vulnerability in the app was being exploited by Pegasus,” the lawyer said. “The last of these calls I received on Sunday, an attempt to hack the phone. Most likely it did not succeed.”
“It’s all upsetting, but also the same time, it doesn’t come as a surprise especially the case that we’re working on — hacking attacks by using the same technology, against lawyers or journalists or political activists, so this attempt is consistent with these other attempts in which this technology had been used,” the lawyer said. “It’s very ironic.”
“I’m on the same legal team that reps Omar Abdulaziz aginst NSO and that hack [of his WhatsApp messages] was linked to the Khashoggi case. This same technology was used to spy on the communication between Omar Abdulaziz and Jamal Khashoggi,” the lawyer said.
Three sources familiar with the investigation told ABC News the software used was NSO’s Pegasus.
NSO issued a statement saying its technology “is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.”
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization, including this individual,” the company said.
Facebook did not comment on details of the WhatsApp security breach but said the company is sharing information with the Department of Justice to assist in an investigation.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson wrote ABC in an emailed statement.
On Tuesday, European regulators confirmed they were looking into the breach as a violation of their year-old privacy regulations, General Data Protection Regulation (GDPR) laws.
Facebook, which owns the messaging app WhatsApp, has its European headquarters in Ireland, so Ireland’s Data Protection Commission (DPC) is the lead regulator in Europe. This is at least the 12th investigation by European regulators into Facebook since the European Union’s new privacy laws went into effect one year ago.