It has been reported that a “targeted” surveillance attack was discovered in WhatsApp, hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in WhatsApp. The attack targeted a ‘select number’ of users and was orchestrated by ‘an advanced cyber actor”.
Social Media Reaction:
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices" https://t.co/NZhiNVF0Tb
— Christine Spolar (@christinespolar) May 14, 2019
So WhatsApp has a backdoor too. Another bad day for Facebook:https://t.co/EcBZWoxQJp
— Damien Ma (@damienics) May 14, 2019
Expert Comments:
Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies:
“Almost all applications contain some form of vulnerability and when those applications are as popular as WhatsApp, those flaws will be hunted out with far more vigour than others. That doesn’t negate the fact that this is going to be incredibly concerning for the general public and it returns us to the subject of Facebook. Facebook has been proven to have less than a concrete grip on privacy and security, so this will only add fuel to the fire.
“It is worth remembering that WhatsApp is an internet application and with that comes risks of hacking, so the usual advice stands – don’t share anything on it that you wouldn’t want to be seen or appear in public. Everyone should take the advice of WhatsApp and update their applications immediately. If required, they should also update their phone’s operating system as doing so can help protect against other security flaws – and its good practice to do so as soon as updates become available.”
Adam Brown, Manager of Security Solutions at Synopsys:
“This is an exploit of a bug in software WhatsApp is built on that has a real world impact. Victims of this attack include journalists and activists; attackers are able to use the victim’s phone as a room tap, look at or change information on the phone and find the victim’s location, amongst other things.
“The compromise is possible because applications, including WhatsApp, use many third party components; WhatsApp has ‘libssh’ in its inventory as do many others. Because of a bug in the version of ‘libssh’ (an open source client side C library implementing the SSH2 protocol) attackers are able to run their code on the victim’s phone.
Its best practice for software companies to know what’s in their bill of materials that make up their software, and to compare that with known vulnerable versions of software components. By doing so, this kind of vulnerability can be avoided.”
Assaf Dahan, Senior Director, Head of Threat Research at Cybereason:
“The risk is that once the Spyware (Pegasus) is installed on the victim’s phone, the attackers gain complete access to all of the information on that phone (such as geo-location, contacts, messages, mail, and other data). In simple words, they can monitor everything the victim is doing, therefore complete violation of privacy. Potentially any WhatsApp user can be vulnerable to this attack. This zero day does not require any interaction from the user, and therefore is very difficult if not impossible to avoid. Since this Zero day is attributed by the researchers to the NSO Group, it’s likely used surgically, only against specific people of interest and not as a mass infection payload. Assuming that the latest version published by WhatsApp fixes the buffer overflow vulnerability, users who install the latest version will be protected. That being said, there might be other Zero days exploits in the attackers’ arsenal that haven’t been discovered yet, that might be used against WhatsApp or other mobile apps.”
Jake Moore, Security Specialist at ESET:
“For a vulnerability to be found across the 1.5bn devices where WhatsApp is installed is quite a mean feat in 2019. An attack like this bears all the hallmarks of cyber espionage was likely to have only been used on only a small number of highly targeted individuals.
These types of attacks are extremely rare but also not to be taken lightly. It is clear from this attack that cyber-criminal organisations continue to look for vulnerabilities in applications used by millions of people around the world in the hope they will find something to exploit.
It doesn’t suggest that any messages have been intercepted in this attack which bodes well for the encryption used by WhatsApp. They have asked all of their users to update the app as a precaution as if this were to have got into the wrong hands, it could have extracted data from many more devices and caused all sorts of problems. Turning on auto updates will protect users from any further vulnerabilities once they are found.”
Ed Macnair, CEO at CensorNet:
“WhatsApp has over 1.5 billion users globally, so the news that it had such a massive vulnerability is going to unsettle plenty of people. And rightly so, as the details of this cyber attack, where spyware is being injected onto users’ devices via the app’s call function, is particularly unnerving. The attacks appear to have been specifically targeted, for example a UK based attorney’s phone was attempted to be breached, but this doesn’t mean that the rest of civil society shouldn’t be worried that such an extensive vulnerability was present in the app.
“There’s been a blurring of lines between what we might consider consumer tech and enterprise tech. WhatsApp started its life firmly in the consumer corner, but has since been adopted by employees and organizations as an easy way to communicate. What we now have is an excellent example of why that can be a problem.”
“WhatsApp has instructed users to update the app to a version that has fixed the vulnerability in the infrastructure which allowed this to happen. Businesses must remember that, whether they know it or not, WhatsApp is being used on corporate devices and they also need updating.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“This is a troubling vulnerability for any WhatsApp users who have been relying on the app for keeping conversations private. While it’s less likely that the average citizen would be targeted with this kind of spyware, WhatsApp is used by many people for whom the privacy of their conversations is a life and death matter.
No software is perfectly secure and vulnerabilities like these are going to exist. The response is what matters.”
Corin Imai, Senior Security Advisor at DomainTools:
“This is an unfortunate discovery for the Facebook-owned messaging app, which has already seen controversies over the spread of disinformation on their platform in the past year. The best advice we can give to WhatsApp customers is to update their app as soon as possible. The practice of divulging known vulnerabilities and to alert users is the best weapon we have against instances such as this: unfortunately, security breaches are inevitable, and it is unsurprising that malicious actors would choose such high-profile targets, given the returns a successful attack could yield. It is worth noting that, despite the difficult year that WhatsApp and its parent company had in terms of security issues and consequent media backlashes, researchers followed security best practices by acting swiftly to resolve the issue and informing the most likely victims of the risk. If breaches are inevitable and cybercriminals are more active than ever, it is reassuring to know that the good guys never sleep, either.”
Jason Steer, Director of PreSale EMEA at Recorded Future:
“The targeted surveillance attack on WhatsApp is the latest incident to highlight that even the most secure applications have vulnerabilities. This incident is particularly notable as WhatsApp’s assurance of security and confidentiality is one of the reasons it has become the go-to messaging service for many, with more than 60bn messages being sent every day. The case also shows how frightening high-level cyberattacks can be, as the attacker was able to insert malicious code into their target’s device simply by placing a call – even if it wasn’t answered. Vulnerabilities like this have huge implications for clandestine monitoring activity. While such tools are often used in the course of fighting crime and terrorism, they are also open to abuse.
In this instance, the target of the attack was a London-based lawyer who was involved in lawsuits against NSO Group Technologies – the security company believed to be responsible for creating the exploit. The company has been accused of creating tools for the use in the surveillance of dissidents, journalists, and critics of governments such as Saudi Arabia and Mexico.
While the exploit has extremely serious implications, it should be noted that the vulnerability has already been patched in an urgent update provided commendably quickly. As long as devices and software are up to date, the exploit is no longer a threat. Users should also rest assured that this was a very high-level attack that was used to conduct targeted surveillance on a particular individual. Such attacks require a much higher level of expertise and resources than a typical criminal cyberattack, and the average person on the street has little to fear from them.”
Victor Chebyshev, Anti-malware Expert at Kaspersky Lab:
“The publically available information shows that an attacker could execute arbitrary code within the WhatsApp application, thereby gaining access to a wide range of data stored in the device memory, such as the correspondence archive, as well as the camera and microphone.
“The latest information suggests that the attackers used several vulnerabilities, including zero-day vulnerabilities for iOS, and the attack was multi-stage, allowing an attacker to gain a foothold on the device by installing a spyware application on it. Given that these vulnerabilities were apparently exploited on both Android and iOS devices, they are very dangerous. We urge all users to look out for and to install, without delay, any newly released software updates that block vulnerabilities exploited by the malware.”
Dr Darren Williams, CEO at BlackFog:
“The news that more than 1.5bn WhatsApp users could be vulnerable to spyware is concerning, particularly as the malicious code was developed by Israeli cyber intelligence agency, the NSO Group, an organisation known to work with governments and intelligence agencies across the globe.
We are seeing application-based vulnerabilities becoming a common attack vector. These coordinated attacks, targeting both citizens and institutions are occurring with alarming frequency. Governments and private individuals must accept that the personal and classified information is unlikely to be safe from malicious actors. It’s inevitable that attackers will find a way in so it’s critical that organisations adopt new technologies that will prevent them from getting out.”
Winston Bond, EMEA Senior Technical Director at Arxan:
“The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverse engineering to create an attack like that. Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.