WhatsApp Vulnerability Fixed

WhatsApp fixed a devastating vulnerability that allowed someone to remotely hack a phone by initiating a WhatsApp voice call. The recipient didn't even have to answer the call.

The Israeli cyber-arms manufacturer NSO Group is believed to be behind the exploit, but of course there is no definitive proof.

If you use WhatsApp, update your app immediately.

Posted on May 15, 2019 at 2:22 PM • 35 Comments

Comments

Sok PuppetteMay 15, 2019 2:47 PM

... and if you don't need audio and video and all the other geegaws that added that attack surface to Whatsapp, maybe you should switch to something that doesn't have them.

Something decentralized might be a good idea.

steveMay 15, 2019 3:09 PM

a nice fat plausible deniability device again :D

I stay with the Telegram

JamesMay 15, 2019 3:15 PM

@steve: Telegram is not really end-to-end encrypted. A better alternative is Signal. I would also avoid anything Facebook related like the black death.

JamesMay 15, 2019 3:19 PM

Riot/Matrix looks promising, but i'm not sure about the cryptography part though. We'd better leave cryptography details to the cryptographers... The only thing i don't like about Signal is that you need a phone number (sure, there are ways around that, like a burner). However Signal was designed also for ease of use ...

Black King IanMay 15, 2019 4:16 PM

@james and @steve

You debate seems to me beside the point. If a company with the resources of Facebook can't do the job correctly, what reason is there to believe that any lesser company can do it? None. It's all crapware.

BrettMay 15, 2019 4:21 PM

The security flaw was bad enough but there should also be some concern about the way the issue has been disclosed, for example:

  • There hasn't been any information about how to determine if the exploit has already been used.
  • No information about if the updated version only stops the exploit being performed again.
  • No information if the update also blocks anything that was running as a consequence of the exploit being used.
  • No information about if it was restricted within the sandbox of the WhatsApp app.

These are all things that need answering so that users know the extent of what PII may have been exfiltrated and if information is still being exfiltrated.

JamesMay 15, 2019 4:30 PM

@Black King Ian: Facebook doesn't care about their user's security, they have proven it over and over again. They care about the data they collect, but not about their users.
Sure, you can find bugs in any software, however why a Facebook screw-up surprises anyone anymore ? Besides that, few details on this bug are disclosed ... My paranoid side would even say it was a deliberate "mistake".

JamesMay 15, 2019 4:39 PM

@Brett: An Ars Technica article suggested that the exploit was used to push the Pegasus malware to achieve further exploitation. The details are scarce. Even without lateral movement, exploiting Whatsapp it's bad by itself.
Again i'm scratching my head around this: Why someone that wants to communicate securely and privately, would ever use Facebook & co ?

Rolf Weber May 15, 2019 5:29 PM

@James

1st, simply because all of your friends & relatives are on "Facebook & Co.".

2nd, bugs are everywhere, but the overall security of WhatsApp is pretty good.

Sed Contra May 15, 2019 7:15 PM

A buffer overflow ? Come on ... FB, your platform henceforth is restricted to hand crank telephones.

A90210May 15, 2019 7:19 PM

https://www.reuters.com/article/us-usa-cyber-congress/lawmakers-seek-probe-on-u-s-hacking-services-sold-globally-idUSKCN1SL2WE

A bill passed in a House of Representatives’ appropriations subcommittee on Tuesday said Congress is “concerned” about the State Department’s ability to supervise U.S. companies that sell offensive cybersecurity products and know-how to other countries.

The proposed legislation, released on Wednesday, would direct the State Department to report to Congress how it decides whether to approve the sale of cyber capabilities abroad and to disclose any action it has taken to punish companies for violating its policies in the past year.

[...]

The legislation follows a Reuters report in January which showed a U.S. defense contractor provided staff to a United Arab Emirates hacking unit called Project Raven. The UAE program utilized former U.S. intelligence operatives to target militants, human rights activists and journalists.

State Department officials granted permission to the U.S. contractor, Maryland-based CyberPoint International, to assist an Emirate intelligence agency in surveillance operations, but it is unclear how much they knew about its activities in the UAE.

Under U.S. law, companies selling cyber offensive products or services to foreign governments must first obtain permission from the State Department.

[...]

The bill is expected to be voted on by the full appropriations committee in the coming weeks before going onto the full House."

https://mobile.twitter.com/Bing_Chris/status/1128791347962494976

also

https://www.reuters.com/article/us-usa-raven-media-specialreport-idUSKCN1RD2PY 1 April 2019

https://www.aljazeera.com/news/2019/04/hackers-helped-uae-spy-al-jazeera-chairman-reuters-190401170548562.html

TIARA GNOMEMay 15, 2019 9:01 PM

In the April 28 edition of the Independent (from Great Britain) there is an article that contains this:

"The court heard transcripts of exchanges on the encrypted app Telegram, proving all three defendants ..."

If you trust any of these apps, which are not, in point of fact, end-to-end, and therefore not worthy of real trust in my opinion, the question, ladies and gentlemen, is really this: are you a big enough fish to catch, or should the fisherman, of whatever type, look elsewhere?

TIARA GNOMEMay 15, 2019 9:35 PM

@ A90210

+1 That was good to know.

"...a U.S. defense contractor provided staff to a United Arab Emirates hacking unit called Project Raven. The UAE program utilized former U.S. intelligence operatives to target militants, human rights activists and journalists."

The U.A.E. is pretty amazing with how they treat people, fellow Muslims. They treat some people as property, and that is evident within the first ten minutes of being there.

Most Americans are going to follow the money, and the moral aspect of how your tools were used can be sorted out later (in Capri, the Maldives, both, or not at all).

You would think that at some point activists and journalists in the Middle East would realize that their every movement is being tracked, recorded, and analyzed. Darwin says don't turn off your phone, don't say derogatory things about the pig running your country, and don't contact your contacts near any electronic device whatsoever, even a oven, electric shaver, battery-powered flashlight. Any of those within fifty meters is bad news. Electrons? Bad, bad, bad. Having a little swim and chat in the Arabian Sea with your fellow swimming enthusiast/source starts to make real sense: better than trusting TLS or Telegram or that pesky configuration file in GPG. No more air-gapping gpg2 and that unfriendly, case sensitive, complex Linux terminal and having to remember your s2k specifiers and then the cost of the USBs for those one-way trips to TAILS and the internet (aka giant collection platform) so your neck does not get air-gapped from your body.

For some fine dining after your swim take a walk in the park with a shawarma.

Gunter KönigsmannMay 16, 2019 12:17 AM

If the issue is this bad why they keep sending me WhatsApp updates a few weeks after half of the people I know get them? Android 8.1.0 and an 64bit Arm processor shouldn't be so exotic that my platform is tested last...

TIARA GNOMEMay 16, 2019 1:08 AM

Anyone in the Middle East who has a job of major significance and has not left their phone at home and turned off as much as possible (in a steel box with no battery); is a journalist and actually thinks they are not being listened to; or works for any government at a high level in any position, and thinks their email and phone are not dorked, is not reading the news.

Nor is it going to stop. There is too much money flowing for it to stop, and too many people have their hands in the cash.

Not. Going. To. Stop.

GeorgeMay 16, 2019 4:50 AM

@James,

I would not trust Signal in entirety. Call me paraoid but the group behind Signal has an interesting choice of name that connotes with the likes of NGOs that interlude other country's sovereignty.

GeorgeMay 16, 2019 4:54 AM

@TIARA GNOME wrote, "f you trust any of these apps, which are not, in point of fact, end-to-end, and therefore not worthy of real trust in my opinion, the question, ladies and gentlemen, is really this: are you a big enough fish to catch, or should the fisherman, of whatever type, look elsewhere?"

...and especially after it was already demonstrated that signal/whatsup can be reconstructed in such a way to serve as a "dual use" system.

Gerard van VoorenMay 16, 2019 5:22 AM

@ Rolf Weber,

1st, wrong. But you might be at the right problem. The only thing is to solve it, and that's a lot harder than you might accept.

2nd, "bugs are everywhere, but the overall security of WhatsApp is pretty good."

Well, they don't fix the nation state level attacks. And personally I think that is bloody wrong. And it does show bloatware.

JamesMay 16, 2019 6:25 AM

@Rolf Weber:
1 - No, not really. In fact none of my friends / relatives / associates are on "Facebook & Co", and i'm sure there are others like this too. The "if you're not on Facebook / Whatsapp / Instagram etc, then you don't exist" doesn't really apply. People have been keeping in touch long before Facebook ever existed.

2 - Yes, I totally agree. However, as i said before, Facebook has proven over and over again that they don't give a s**t about their user's security. Don't confuse securing the data they collect, with securing their users, different things entirely. I won't even mention privacy, as it would be an oxymoron.

@George:
You can't trust anything entirely, except maybe for one time pads. However i would trust almost anything more then Facebook.

Denton ScratchMay 16, 2019 7:00 AM

WhatsApp spammed the bejaysus out of my email accounts way back when it launched. The spamming dried up after a year or two, but that kind of behaviour does not bespeak respect for privacy.

Anyhow, I do not use anything that has ever been promoted to me by spamming.

Denton ScratchMay 16, 2019 7:13 AM

From the legal opinion in the appendix to the Novalpina letter posted by A90210 (thanks for that):

"The DECA export control regime is relatively unique in that it includes
a four-stage export licensing process:"

A thing either is unique or it is not. There's no such state as being "relatively unique".

Petre Peter May 16, 2019 7:37 AM

NSO and NSA have something else in common: they both stockpile vulnerabilities.

IrritatedMay 16, 2019 8:39 AM

Sometimes I wish people that comment on this blog would speak plainly, instead of coy side remarks, as if they're attempting to avoid triggering keyphrase detecting mechanisms run by the Powers That Be. (See what I did there?)

@Clive Robinson would probably put forth some decent arguments, but some of you need some serious "Citation please!" replied to your comments.

You don't have to trust Signal, or anything built by Signal, or people that create these apps, if you can see the source code (and analyze it) and reproduce the binaries and see if they match. You have bigger problems, IMHO, with proprietary bootloaders / hardware / OSes of cellphones, with flaws in SS7, with flaws in cellphone hardware / OSes / bootloader.

I dunno, Wire / Riot / Tox(and its variants) / etc might all be better than Signal. I haven't gotten around to using any of them.

If you're really worried, use one-time pads - generate them securely, distribute safely, never use more than once, and dispose of securely.

There are people out there though like Matt Green, Bruce Schneier, etc that use Signal. At some point, we have to trust something / someone. If we can't put some faith in ladies and gentlemen of their caliber though, we're already doomed on the comms front.

TimHMay 16, 2019 9:22 AM

Mine is updating to 2.19.51 now on a fruit phone. The update notes say "You can now see stickers in full size.." so either this is a subsequent update, or disclosure is light :)

Clive RobinsonMay 16, 2019 11:00 AM

@ Irritated,

@Clive Robinson would probably put forth some decent arguments

I could but how long are you --and others-- prepared to read.

Also more seriously, I don't need to put up much technical argument to say "You cann't trust any of them".

By that I'm not assuming that there is anything wrong with the standards, protocols crypto algorithms, or the coding etc, even though I have my suspicions about all of them and have had from before their "Day Zero".

The reason is a fundemental design flaw in two areas,

1, They are not truely point to point, thus they make traffic analysis trivial.

2, Their security end points are in the application, which means an attack can end run the application to the "plaintext interface" on the device.

Untill these two points are fixed, no application is going to be secure.

As for an end run attack whilst the app might in of it's self be secure, you can not say the same for the rest of the computing stack downwards including the hardware, which in the case of mobile phones is not owned by you but the OS design team, the hardware manufacturer, and the network service provider...

Thus at the very least in the case of the network service provider means you will always be subject to "Traffic Analaysis" attacks currently[1] because they own all the "Over The Air" (OTA) and other communications interfaces including WiFi, Bluetooth and even Near Field Communications (NFC) and as like as not any power system used for charging etc that can also be used as a communication path.

However message content security can be easily arranged by taking the security end point off the communications end point device.

So if you say use a secure paper and pencil cipher out of sight etc of the phone (ie an energy gap) then type the ciphertext into the app, what comes out on the far end users device is secure ciphertext, you can they can write that on a piece of paper, cross their energy gap with it and decrypt it to get the plaintex.

Obviously the encryption does not have to be either a block or stream cipher, it can in fact be some type of "one time code" thus produce what can be an unbreakable stego system. With care it can pass most human and AI analysis.

This was all known prior to the NSA being founded and appears to get forgoton or never learned by every developer that thinks they are smarter than a bear...

Yup I know that's not what people want to hear, but it's the bottom line and all the SigInt agencies know it and presumably exploit it which is what appears --currently to little info for certainty-- to be the case with WhatsApp. It is also the same for Signal, Telegram and "my old dog doing back flips".

[1] There is a solution to this as I've mentioned several times before which is a "Network over a Network" that also implements a "Fleet Broadcast" type system.

IrritatedMay 16, 2019 11:23 AM

@Clive Robinson

I always read your posts - the length doesn't bother me.

Appreciate the input.

JackMay 16, 2019 11:37 AM

When you give someone accused of some wrongdoing the chance to deny it and they don't.. What do you want, a signed confession from Binni?

RealFakeNewsMay 18, 2019 8:19 AM

@Clice Robinson: I too, read your posts in full, regardless of length.

@All:

Isn't WhatsApp end-to-end encrypted via a central server? WhatsApp must also be breaching your privacy as an app, otherwise Facebook would have had zero interest in it. This alone is reason enough not to use it.

One of my telephone numbers ended up on a contact's WhatsApp app, and that number started receiving these silent robot calls occasionally. I knew who it was, and persuaded them to remove WhatsApp. The calls stopped. Coincidence? Highly unlikely.

What I don't understand is why it is too hard for any app developer to create a simple, open app for messaging securely. All this capability in the community, but no-one doing it? Is there some law or EULA that is stopping it happening, and these companies are only doing it because they've been subverted?

Gunter KönigsmannMay 18, 2019 11:09 AM

WhatsApp is end to end encrypted. But you cannot verify of there is a man-in the-middle and your government can choose your encryption key for you. But I guess Facebook itself isn't interested in the contents of your messages: they should be happy with the metadata of your messages and your phone book.

AlexTMay 19, 2019 1:27 AM

I muss confess that I am very perplexed by this one.

We are to believe that there was a cross-platform vulnerability on all WhatsApp implementations (remember this worked on IOS, Android and Windows Phone !) and that the NSO people had a payload that would reliably escape the sandbox and install a persistent RAT.

If so fairly impressive... But what if WhatsApp was actually _designed_ to help the code injection ? Do we have any specifics ?

Gunter KönigsmannMay 19, 2019 2:05 AM

My guess is that WhatsApp is big enough to contain enough of attack surface to contain flaws like the one googleprojectzero has analyzed for facetime. ...and that then every. Single. Secret service thought they were the only ones that had found the mythological nobus.

GeorgeMay 19, 2019 3:25 AM

@Irritated,

Most of these "coy remarks" are just plain common sense. Really.

GeorgeMay 19, 2019 3:44 AM

@James,@Iritated

"You can't trust anything entirely, except maybe for one time pads. However i would trust almost anything more then Facebook."

I would not trust Facebook with my private conversations, but I would not trust a profit-motive NGO disguised as a non-profit (for tax purpose or not) either.

Facebook is never about your privacy tho they never cease to remind us that they are a "privacy first" corportation. Thus, you have an interesting dilemma of selling a service as advertised (or not).

As far as I know, trust isn't earned. It's verified, on a per use basis. Thus, no amount of source code checking can fulfill this requirement. Signal as a platform is unverifiable to me, so I don't trust it. Allowing federated servers or not does not fix this issue either, and apparently they don't.

Clive RobinsonMay 19, 2019 9:29 AM

@ George,

Thus, no amount of source code checking can fulfill this requirement. Signal as a platform is unverifiable to me, so I don't trust it.

The same logic applies all the way down the computing stack.

You can not verify the code so you can not trust it...

Sounds bad untill you remember you can in a lot of cases "mitigate it".

And "mitigate it" is realy the only solution there is. And it falls into doing two things,

1, Segregate the blocks.
2, Verify the interfaces.

In theory if you can see ALL the interfaces on a given block within a system then you can verify them whilst they are in use. In practice it is impossible to "Verify ALL interfaces" because you can not identify them all. So you use a design technique that minimizes the number of "known interfaces" but you do it in a way that catches "unknown interfaces" as well.

That is we know from the laws of physics that energy is transported by Conduction, Convection and Radiation in Solids or "working fluids" in all cases and across vacuums as well in the last case. Which means that to stop them we are looking at either Reflection or Absortion to contain energy. But the question then arises as to what energy and if we can actually contain it (gravity for instance) or only at best Mask it which is generally not a good option[1].

Thus in turn we consider the issue of how information gets modulated or impressed upon the energy and if that process can be contained or stopped if the energy can not. Which brings us to the idea of Bandwidth reduction and Amplitude, Phase, Frequency and Timing changing.

These are all methods of "Control by information Segregation" which have been practiced one way or another since the early days of mankind going hunting, right through to the supposadly still secret[2] Tempest and other EmSec techniques.

By in effect building a wall around the system block using the laws of physics, you can then "mandate an interface" that you can control to allow controled information to pass in or out of the block.

At the simplest the wall can be "distance" and what crosses the gap in or out can be just a hand written note. That is copied into the keyboard or down from the screen. This then gets further proceced by another block in the system.

Thus you can extend communications channels in various ways.

Back during WWII the British developed a high speed "on-line" telex encryptor called Rockex which had two inputs. The first was a cipher stream which was a truly randomly generated set of letters (A-Z) on punched paper tape, and secondly a plain text stream also on punched paper tape of a diferent colour and other charecteristics so the two tapes would not get confused. Importantly even though this was an OTP encryption system, the plain text was actually ciphertext from the British TypeX cipher machine that was sufficiently similar in the cryptographic mechanics that it could be down graded to be equivalent to the German Enigma.

Thus the security end points were significantly distanced from the communications end points with a carefully controlled gap crossing by paper tape.

It's a lesson people need to take on board in this modern age where not only do they not own their communications devices, they have no control over them, and the designers of them do not in any realistic manner include security issolation in user communications.

For some reason though, each generation of system designers in the field of consumer markets appears never to have learned the lessons.

Thus if a consumer wants security they will have to build their own system around what are woefully insecure consumer goods and services. It's pointless the consumer trying to understand to any level what happens in those goods and services because they will either be ignored or lied to at some point on the claim of "business edge" or "Intellectual Property" or some such, that is the same as the official "no comment" or "we can neither confirm or deny".

Which means realistically the consumer has to "mitigate" after the communications end point of the goods and services made available to them.

Which for most means using "off consumer device" technology as these days you have to consider all consumer devices to be "bugged" by those who design or build them, so they can "data rape" to a higher profit. Thus everything you do on those consumer devices becomes a "business record" which can be bought, sold or grabbed by NSL or whatever is the favourite way these days by those who see themselves as above the ordinary taxpaying, voting and thus law abiding citizen.

Which leaves the question of what "off consumer device" opptions are open to the ordinary citizen.

Well a few technically competent individuals might make their own security devices, but that's just a tiny fraction of the population, when you consider what "technically competent" actually means in the security domain. There are open source designs out there that do get mentioned on this blog and other places. But the reality is take up of such designs is pitifully low.

Which might be considered odd, because history shows that most people with sufficient practice, and regard for their own skin can use secure paper and pencil ciphers or codes. Further that there are not too difficult ways for them to make such ciphers and codes.

At which point you will probably discover the average citizen does not want to go through the effort to be secure...

And realistically that's the bottom line, people only want what they see as "easy" security and the limit on that is "download an app", it does not matter which app thus one with a "cool" name/graphics/options/etc or more prosaicaly "what all their friends use".

[1] Masking or as it's sometimes also called "Whitening" is the process of "raising the noise floor" such that all an attacker sees is noise, not a signal. The problem is "generating the noise" because if it's not truely random it can be correlated thus removed and the information leak that you were trying to hide becomes clearly visable again. In fact the whitening signal can make things worse because it can give away internal state information that can make exploiting the information leak considerably easier...

[2] It's kind of hard to keep the laws of physics secret, most first and second world children get taught them whilst in teenage or earlier classes. What those wishing to keep EmSec techniques secret work on is the difference between information and knowledge. In effect the laws of physics are information it's only as you think about how to apply them that they become knowledge. Sometimes you get forced to think about them, the flip side of energy carrying information is the energy also causing harmful interferance hence as device density increases harmfull energy leakage becomes a real nuisance which has to be dealt with hence ElectroMagnetic Compliance (EMC) directives and legislation. Thus many people not signed to secrecy do get around to thinking and greating "Open Knowledge". Thus things like the alledgedly secret "TEMPEST Design Rules" for engineers and technicians become less and less secret with time and as with all things fairly quickly surpassed with the aid of new technology.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.