A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware:
A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.
To pull this off this intrusion, the attacker has to carefully manipulate packets of data sent during the process of starting a voice call with a victim; when these packets are received by the target's smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app's memory and leading to the snoop commandeering the chat application.
Engineers at Facebook scrambled over the weekend to patch the hole, designated CVE-2019-3568, and freshly secured versions of WhatsApp were pushed out to users on Monday. If your phone offers to update WhatsApp for you, do it, or check for new versions manually. The vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of the app, which is used by 1.5 billion people globally.
"A buffer overflow vulnerability in WhatsApp VoIP [voice over IP] stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number," said Facebook in an advisory on Monday.
"The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
[...] Pegasus, once installed on a victim's device, can record phone calls, open messages, activate the phone's camera and microphone for further surveillance, and relay back location data. While NSO claims it carefully vets its customers, the malware has been found on the phones of journalists, human rights campaigners, lawyers, and others.
Also at: Ars Technica, Facebook.
Related Stories
Israeli firm linked to WhatsApp spyware attack faces lawsuit
The Israeli firm linked to this week's WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.
The human rights group's concerns are detailed in a lawsuit filed in Israel by about 50 members and supporters of Amnesty International Israel and others from the human rights community. It has called on the country's ministry of defence to ban the export of NSO's Pegasus software, which can covertly take control of a mobile phone, copy its data and turn on the microphone for surveillance.
An affidavit from Amnesty is at the heart of the case, and concludes that "staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled" after a hacking attempt last year.
NSO Group, founded in 2010, supplies industry-leading surveillance software to governments that it says is for tackling terrorism and serious crime, and has been licensed to dozens of countries including Saudi Arabia, Mexico, Bahrain and the UAE.
But there have been a string of complaints in the past few months, documented largely by the Toronto-based Citizen Lab, that the technology has been used to target human rights groups, activists and journalists by several countries – and that there has been no attempt to rein it in.
See also: After WhatsApp hack, NSO faces scrutiny from Facebook and UK public pension fund
WhatsApp's security breach: Made in Israel, implemented worldwide
WhatsApp Rushes to Fix Security Flaw Exposed in Hacking of Lawyer's Phone
Previously: A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware
Related: Israeli Spy Tech Company Allegedly Cracks WhatsApp Encryption (2016)
Former NSO Employee Arrested After Attempting to Sell Spyware for $50 Million
Agents Target Researchers who Reported Software that Spied on Jamal Khashoggi before his Death
(Score: 2) by sshelton76 on Tuesday May 14 2019, @06:30PM (7 children)
Reasonably certain this vulnerability is not only WhatsApp. It's clear from the description that it's in the SRTCP handling stack that they use. My understanding is that WhatsApp and Signal both use the same stack here. Has anybody checked other messaging apps?
(Score: 2) by sshelton76 on Tuesday May 14 2019, @06:42PM (6 children)
Ugh, ignore the above comment. This is in fact just a WhatsApp vulnerability, at the app layer a buffer can overflow leading to take over.
I think we need to start licensing developers who plan to write code in languages that can contain buffer overflows and other nastiness, because this security hole just seems idiotic. A simple bounds check seems to be too much to ask now days.
(Score: 2) by Hyperturtle on Tuesday May 14 2019, @07:17PM (5 children)
Licensing developers?
That... uh... doesn't really go with the "outsource to another country because they are cheaper" business model of raising profits by laying off the expensive certified people.
If you want to certify or license developers, then you're going to need to also enforce/mandate that the customer market the buggy applications are intended for are also the same pool that the developers are drawn from. Otherwise, you'll get paper certs from braindumps, overseas, just like what happened to MCSE and other credentials, where few skills are provided or utilized despite so many answer sheets being memorized to be eligble for the outsourced job at the farm.
Anyway, these problems exist because uh.... remind me again why it takes an outside firm to draw attention to internal design problems? Oh right, because what we REALLY need is some sort of internal auditing program where they actually do more than a hand wave when it comes to security.
But licensed/certified security people that can do more than run scripts and mindlessly tell you to fix the results are really expensive to validate their skills and then retain them for employment like they did for the developers before, and so... oh wait...
Anyway, I agree with you 100% I just don't think the executives do as well.
(Score: 3, Interesting) by sshelton76 on Tuesday May 14 2019, @07:58PM (4 children)
We license Civil Engineers and they are directly liable for mistakes. In most states they are required to carry Errors and Omissions insurance just in case they make a mistake that would have been avoidable in hindsight but was overlooked. Even with O&E, an engineer can lose their license to practice if they are just plain sloppy.
Practicing engineering without being properly licensed is a felony in many states.
I think it's high time we start requiring the same thing here for software engineers. If you write code and it costs someone money somewhere down the line due to failure to follow well known best practices you're liable, your company is liable and the entire C-Suite is liable.
I would carve out an exception for open source projects and developers, but never, ever waive that exception for companies that use/incorporate the code. They can hire a professionally licensed software engineer to sign off on it, or bear all liability from bad code and the fall out from such. Now keep in mind, I'm not talking about "failed to use optimal algorithms", or some other subjective measure. But failure to follow best practices should be prosecutable as a felony at this point and the excuse that "we farmed it out to the lowest bidder in India", should cause an aggravating enhancement for the CEO of the company that signed off on the idea.
I'll bet we could increase the quality of code globally if we banded together and pushed our congresscritters to pass it.
On the other hand, it might result in a lack of disclosure, a lot of finger pointing and an increase in 0 days as companies refuse to accept any responsibility for anything and try to duke it out in the courts. But it was a nice fantasy.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @08:24PM (2 children)
"We" being the operative word. There is a whole world outside of 'Murrica that does not license engineers. License does not mean the person knows their field, it just hides the fact that they might not know their field. Reputation and track record is the best judge of all.
In the case of Facebook, their track record is beyond hopeless.
(Score: 1, Informative) by Anonymous Coward on Tuesday May 14 2019, @08:48PM (1 child)
Yeah, but an official recognized qualification shows that the candidate has completed a recognized course of study and can be expected to not kill a patient immediately, vs the bigmouth off the street who claims he taught himself medicine off the internet.
(Score: 1) by Only_Mortal on Wednesday May 15 2019, @02:43PM
It's not like medicine is brain surgery. Oh hang on...
(Score: 2) by c0lo on Tuesday May 14 2019, @09:17PM
I see... You hate Agile and its guts with passion. Can't say I blame you.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @06:46PM (2 children)
Well, at least this vulnerability can't be blamed on Facebook like all of the recent episodes of data "leakage". What? Facebook owns WhatsApp? Really? What are the chances?
(Score: 2) by ikanreed on Tuesday May 14 2019, @07:25PM (1 child)
You say that like other tech companies don't suck ass at basic security when it's at odds with making gobs of money.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @07:33PM
Another AC here.
This wasn't for making lots of money. It was a honeypot so that people around the world who have legitimate things to hide can be exposed.
(Score: -1, Troll) by Anonymous Coward on Tuesday May 14 2019, @07:31PM
Khazar jews are running a coordinated system to infiltrate people's computers and phones, extract data and install malware. They are an evil race and are not ashamed about it. But they try to hide in the shadows so they can commit their crimes. Expose them and they run away like rats from underneath a carpet. Those gutter-born creatures are afraid of being found out.
A phone program called Whatsapp is being compromised by a program nemed Pegasus. Both are made and fully controlled by khazar jews. What are the chances this is a random occurrence? Similarly, Intel processors are compromised from the design stage.
This was coordinated by the two companies: Facebook and NSO (in khazar-controlled israel).
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 14 2019, @11:36PM
Never mind, they hung up.
(Score: 2) by dltaylor on Wednesday May 15 2019, @09:21AM
Is the proper mechanism to back up your apps and data, full factory reset the device, then restore apps and data, or is the phone permanently compromised, as well as the backups?
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 15 2019, @12:39PM
We can see what it can do, but is it the same access which WhatsApp already has, or is it more, or even persistant i.e. if you uninstall WhatsApp, the spyware remains?
I thought Android is supposed to be good at compartmentalising apps. If the spyware remains after removing WhatsApp, then doesn't this expose an issue in the underlying OS as well?
If Android has segregated the app sufficiently including the spyware payload which remains within the WhatsApp compartment, then uninstalling WhatsApp and deleting it's local data, then installing a known clean copy should be sufficient to clean the device.