WhatsApp zero-day in spy revelations - patch issued

News by Mark Mayne

Facebook-owned messaging app urges approx 1.5bn users to update their apps after Israeli spyware exploits vulnerability. The exploit is particularly sophisticated as no user interaction is required.

A vulnerability in the popular WhatsApp messaging client has been patched after concerns that an exploit was in active use, according to the Financial Times.

The exploit relates to the way in which the app managed incoming calls, and allowed an attacker to inject malicious code by simply calling a target device running the app. Even if the user did not answer the call, the code could still be injected in a ‘buffer overflow’ attack, via a specially crafted series of SRTCP packets.

Facebook has issued a CVE-2019-3568 notice and patched the vulnerability in the latest version of WhatsApp, available Monday.

Winston Bond, EMEA senior technical director at Arxan told SC Media UK that: "It takes a lot of research and reverse engineering to create an attack like this. Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app. Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It's time that changed."

The exploit has been used against "a select number of users" who were targeted by an "advanced cyber-actor", according to WhatsApp. The Financial Times identified the exploit as being part of the Israeli cyber-intelligence company NSO Group’s Pegasus platform, which the company says is only supplied to intelligence and law enforcement agencies. The exploit is particularly sophisticated as no user interaction is required, putting it in the most serious vulnerability category - usually exploits require some user interaction, such as a click or tap on a disguised popup.

Assaf Dahan, senior director, head of threat research at Cybereason, said "Potentially any WhatsApp user can be vulnerable to this attack. This zero day does not require any interaction from the user, and therefore is very difficult if not impossible to avoid. Since this Zero day is attributed by the researchers to the NSO Group, it’s likely used surgically, only against specific people of interest and not as a mass infection payload. Assuming that the latest version published by WhatsApp fixes the buffer overflow vulnerability, users who install the latest version will be protected. That being said, there might be other Zero days exploits in the attackers’ arsenal that haven’t been discovered yet, that might be used against WhatsApp or other mobile apps."

David Holman, director at Armour Comms pointed out that businesses cannot afford to be complacent: "This latest case of a serious vulnerability in a consumer-grade app highlights the dangers of using free apps, and that they are simply not robust enough for business. While such apps claim that they are secure because they are encrypted, there is so much more to security than just encryption.  Encryption is rarely the weakest link, and therefore, unlikely to be targeted by hackers.

"While this particular exploit may have been to target people with specific jobs, there are various other everyday hacks that can be executed relatively easily by low level criminals against these types of product that put users’ data at risk.  Breaches of GDPR are a risk to every type of business and come with significant fines."

All WhatsApp users are highly recommended to update their apps to the latest official version as soon as possible, as Leigh-Anne Galloway, cyber security resilience lead, Positive Technologies made clear: "It is worth remembering that WhatsApp is an internet application and with that comes risks of hacking, so the usual advice stands – don’t share anything on it that you wouldn’t want to be seen or appear in public. Everyone should take the advice of WhatsApp and update their applications immediately. If required, they should also update their phone’s operating system as doing so can help protect against other security flaws – and it's good practice to do so as soon as updates become available."

For Etienne Greeff, CTO and co-founder of SecureData three takeaways from this disclosure were:   "Firstly, this demonstrates the folly of trying to get companies to create backdoors or to open encryption. These types of things are always used in ways we never intended as shown here. In effect an external party created a backdoor and this was used in ways never planned.

"Secondly it shows the effects of very deep state pockets on everyday people. The NSO group exists because governments and state agencies have the ability to pay six figure sums for zero days which they can use for their own policy aims. The reality is that this affects everyday people and does spill over into civilian life as we saw with Kashoggi and others.

"Finally, underlying operating systems may appear to be very secure ie IOS but the whole ecosystem including all the apps on the operating system is so complex and convoluted it becomes very difficult to have complete security. Also, few of the alleged zero-day security tools used to secure these complex systems would have been effective."      

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews