NSO Group Pitched Phone Hacking Tech to American Police

A brochure and emails obtained by Motherboard show how Westbridge, the U.S. arm of NSO, wanted U.S. cops to buy a tool called Phantom.
May 12, 2020, 3:03pm
Westbridge brochure
Image: Motherboard

NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.

The news provides the strongest evidence yet of NSO's attempt to enter the U.S. market, and shows apparent appetite from U.S. police for such tools, with one law enforcement official describing the hacking technology as "awesome."

"Turn your target's smartphone into an intelligence gold mine," a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, "the North American branch of NSO Group," it says. Motherboard obtained the document and related emails through a public records act request.

In August 2016, a Westbridge employee emailed the San Diego Police Department (SDPD) offering more information on Phantom, "a mobile intelligence system that would be a great addition to your investigative and special support offices." After remotely hacking the phone, Phantom can siphon a target's emails, text messages, and contact list, as well track their location, turn on the device's microphone and take photos with its camera, according to the brochure.

Do you work at NSO Group, did you used to, or do you know anything else about the company? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

A former NSO employee told Motherboard that Phantom was "a brand name for U.S. territory," but the "same Pegasus," referring to NSO's phone hacking tool that the company has sold to multiple countries including the United Arab Emirates, Mexico, and Saudi Arabia for millions of dollars. Infamously, Saudi Arabia used the software to surveil associates of murdered journalist Jamal Khashoggi. Motherboard granted the source anonymity to protect them from retaliation from NSO

"At the time, Phantom was all 1-click except for old Blackberries which were 0-click," the former employee added. A 0-click attack requires no interaction from the target. A 1-click attack requires the target to click something the NSO client sends to the phone; a link delivered via text message, for example. The brochure adds that the system supported the iPhone and various other models of phones from manufacturers like Samsung.

In the brochure, Westbridge says Phantom can "overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world." Sections of the Department of Justice have repeatedly pushed for so-called backdoors in both encryption that protects data at rest, like a locked iPhone, and chat programs that protect communications, like Facebook Messenger. Although expensive, Westbridge's offer shows other technological solutions do exist.

After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system "sounds awesome." The Westbridge employee also offered to provide a demo of the system in-person, according to the emails.

Lieutenant Shawn Takeuchi, public information officer at SDPD, told Motherboard in an email, "The San Diego Police Department quite often engages in conversations with vendors who are attempting to sell a product or service so that we can provide the highest quality of police services to our communities. Conversations happen routinely and in 2016, Sergeant Meyer’s role was to evaluate vendors who contacted us." Takeuchi added that the technology “would need to be utilized only after legal authority (search warrant) was obtained."

"This is probably the tip of the iceberg," John Scott-Railton, a senior researcher from University of Toronto’s Citizen Lab, which has tracked NSO’s use by other countries, told Motherboard. "Local police wielding secret hacking technology is the nightmare scenario that we all worry about. The local laws and oversight mechanisms are not there. Abuse wouldn’t be a risk, it would be certainty."

1589295718593-phantom

A section of the Westbridge brochure. Image: Motherboard

In its brochure, Westbridge emphasised its connections to the United States, highlighting that it is based in Bethesda, Md., and that the company was at the time majority owned by an American private equity firm. NSO's co-founders bought back the company from private equity firm Francisco Partners in 2019.

At one point, Westbridge tried to acquire another U.S. company because of its sales connections to the U.S. government, Motherboard previously reported. Westbridge previously demoed its hacking technology to the U.S. Drug Enforcement Administration, but the agency did not purchase the product because it was too expensive, according to internal DEA emails Motherboard previously obtained.

This appears to be the reason SDPD did not purchase NSO's technology either. In his email, Sergeant Meyer added, "we simply do not have the kind of funds to move forward on such a large scale project."

A local police force like SDPD would likely be interested in targeting phones within the United States. NSO Group has previously said its Pegasus technology cannot be used to target U.S. phone numbers. In a statement to Motherboard on Tuesday, an NSO spokesperson wrote, "We stand by previous statements that NSO Group products sold to foreign sovereigns cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology which enables targeting phones with US numbers."

Other surveillance vendors have tried to sell their products to U.S. police. Italian firm Hacking Team gave demos to local departments across the country.

"Abuse wouldn’t be a risk, it would be certainty."

NSO is currently embroiled in a lawsuit with Facebook after leveraging a vulnerability in WhatsApp that allowed NSO's clients to hack fully up-to-date devices by just dialing a target phone. Recently Facebook pointed to how NSO's Pegasus system uses U.S.-based servers to route attacks.

"In retrospect we know that while pitching our law enforcement, NSO may have been breaking American laws. It is doubly ironic that the company is now in court claiming that it cannot be held accountable under American law," Scott-Railton added.

Although NSO says its Pegasus system is reserved for terrorism and serious crime, NSO clients have repeatedly used the company's technology to target political opponents, dissidents, journalists, critics, and human rights defenders. In one case, someone used NSO's hacking technology to target a lawyer working on a civil case brought against the company.

Last month Motherboard revealed that an NSO employee previously gained access to, and abused, a UAE client's installation of Pegasus to target a love interest.

You can see the Westbridge Phantom brochure below.

Update: This piece has been updated to include comment from the SDPD and NSO Group.

Subscribe to our cybersecurity podcast, CYBER.