It has been reported that a “targeted” surveillance attack was discovered in WhatsApp, hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in WhatsApp. The attack targeted a ‘select number’ of users and was orchestrated by ‘an advanced cyber actor”.
Social Media Reaction:
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices" https://t.co/NZhiNVF0Tb
— Christine Spolar (@christinespolar) May 14, 2019
So WhatsApp has a backdoor too. Another bad day for Facebook:https://t.co/EcBZWoxQJp
— Damien Ma (@damienics) May 14, 2019
Expert Comments:
Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies:
“It is worth remembering that WhatsApp is an internet application and with that comes risks of hacking, so the usual advice stands – don’t share anything on it that you wouldn’t want to be seen or appear in public. Everyone should take the advice of WhatsApp and update their applications immediately. If required, they should also update their phone’s operating system as doing so can help protect against other security flaws – and its good practice to do so as soon as updates become available.”
Adam Brown, Manager of Security Solutions at Synopsys:
“The compromise is possible because applications, including WhatsApp, use many third party components; WhatsApp has ‘libssh’ in its inventory as do many others. Because of a bug in the version of ‘libssh’ (an open source client side C library implementing the SSH2 protocol) attackers are able to run their code on the victim’s phone.
Its best practice for software companies to know what’s in their bill of materials that make up their software, and to compare that with known vulnerable versions of software components. By doing so, this kind of vulnerability can be avoided.”
Assaf Dahan, Senior Director, Head of Threat Research at Cybereason:
Jake Moore, Security Specialist at ESET:
These types of attacks are extremely rare but also not to be taken lightly. It is clear from this attack that cyber-criminal organisations continue to look for vulnerabilities in applications used by millions of people around the world in the hope they will find something to exploit.
It doesn’t suggest that any messages have been intercepted in this attack which bodes well for the encryption used by WhatsApp. They have asked all of their users to update the app as a precaution as if this were to have got into the wrong hands, it could have extracted data from many more devices and caused all sorts of problems. Turning on auto updates will protect users from any further vulnerabilities once they are found.”
Ed Macnair, CEO at CensorNet:
“There’s been a blurring of lines between what we might consider consumer tech and enterprise tech. WhatsApp started its life firmly in the consumer corner, but has since been adopted by employees and organizations as an easy way to communicate. What we now have is an excellent example of why that can be a problem.”
“WhatsApp has instructed users to update the app to a version that has fixed the vulnerability in the infrastructure which allowed this to happen. Businesses must remember that, whether they know it or not, WhatsApp is being used on corporate devices and they also need updating.”
Tim Erlin, VP, Product Management and Strategy at Tripwire:
No software is perfectly secure and vulnerabilities like these are going to exist. The response is what matters.”
Corin Imai, Senior Security Advisor at DomainTools:
Jason Steer, Director of PreSale EMEA at Recorded Future:
“The targeted surveillance attack on WhatsApp is the latest incident to highlight that even the most secure applications have vulnerabilities. This incident is particularly notable as WhatsApp’s assurance of security and confidentiality is one of the reasons it has become the go-to messaging service for many, with more than 60bn messages being sent every day. The case also shows how frightening high-level cyberattacks can be, as the attacker was able to insert malicious code into their target’s device simply by placing a call – even if it wasn’t answered. Vulnerabilities like this have huge implications for clandestine monitoring activity. While such tools are often used in the course of fighting crime and terrorism, they are also open to abuse.
In this instance, the target of the attack was a London-based lawyer who was involved in lawsuits against NSO Group Technologies – the security company believed to be responsible for creating the exploit. The company has been accused of creating tools for the use in the surveillance of dissidents, journalists, and critics of governments such as Saudi Arabia and Mexico.
While the exploit has extremely serious implications, it should be noted that the vulnerability has already been patched in an urgent update provided commendably quickly. As long as devices and software are up to date, the exploit is no longer a threat. Users should also rest assured that this was a very high-level attack that was used to conduct targeted surveillance on a particular individual. Such attacks require a much higher level of expertise and resources than a typical criminal cyberattack, and the average person on the street has little to fear from them.”
Victor Chebyshev, Anti-malware Expert at Kaspersky Lab:
“The publically available information shows that an attacker could execute arbitrary code within the WhatsApp application, thereby gaining access to a wide range of data stored in the device memory, such as the correspondence archive, as well as the camera and microphone.
“The latest information suggests that the attackers used several vulnerabilities, including zero-day vulnerabilities for iOS, and the attack was multi-stage, allowing an attacker to gain a foothold on the device by installing a spyware application on it. Given that these vulnerabilities were apparently exploited on both Android and iOS devices, they are very dangerous. We urge all users to look out for and to install, without delay, any newly released software updates that block vulnerabilities exploited by the malware.”
Dr Darren Williams, CEO at BlackFog:
We are seeing application-based vulnerabilities becoming a common attack vector. These coordinated attacks, targeting both citizens and institutions are occurring with alarming frequency. Governments and private individuals must accept that the personal and classified information is unlikely to be safe from malicious actors. It’s inevitable that attackers will find a way in so it’s critical that organisations adopt new technologies that will prevent them from getting out.”
Winston Bond, EMEA Senior Technical Director at Arxan:
“The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverse engineering to create an attack like that. Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed.”
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.