Cyber security specialists respond to WhatsApp messaging service hacking episode

As reported in the national media last week, Facebook recently revealed that a major vulnerability had been discovered in its hugely popular messaging service WhatsApp. According to The Financial Times, the vulnerability had been open for weeks, allowing hackers to inject spyware into mobile phones just by calling their intended targets. Apparently, malicious code could be transmitted even if users didn’t answer their phones, while the calls themselves often disappeared from call logs.

The Financial Times reported: “Within minutes of missed calls, phones start revealing encrypted content, which could be mirrored on a computer screen halfway across the world. Affected phones then transmit intimate details such as private messages and location.” It was reported that the hacking episode even turned on phones’ cameras and microphones with a view to listening-in on private calls.

A statement from WhatsApp at the time said: “The attack has all the hallmarks of a private company reportedly that works with Governments to deliver spyware that takes over the functions of mobile phone operating systems.”

All end users of the free messaging and Voice-over-IP service (which allows users to send text messages, images, documents and other media, as well as place voice and video calls) were urged to update their app immediately.

As of July 2018, WhatsApp had more than 1.5 billion users spanning over 180 countries. These statistics render the service the most popular messaging app worldwide.

Reaction from the security industry

Several companies operating in the cyber security arena have come forward to offer their views on the matter.

Bob Rudis, chief data scientist at Rapid7, commented: “Unless they did manage to compromise their selected targets and achieve their mission objectives, I suspect this is something of a big ‘oops’ on the part of the attackers. It was a fairly quick response by Facebook. It’s likely that the attackers didn’t intend to be discovered at all, let alone so quickly. This means they ‘burned’ the exploit (ie wasted a valuable exploit on a campaign) since it became widely known, received lots of attention and was patched by users pretty quickly. These exploits tend not to be cheap so unless they really did gain access to their intended victims and find whatever they were looking for, this was a potentially big fail on their part. With a 1.5 billion user base, there will likely be plenty of vulnerable installs out there for quite some time, but it’ll be risky to try this particular exploit again.”

Rudis added: “This is a good reminder for people to ensure they regularly update the operating system on their mobile devices and make certain that all applications which fall into the ‘communication’ category (send/receive text/video/audio messages) are also updated immediately whenever there’s a new version available. Those organisations involved in politically or professionally sensitive operations should invest in mobile device management solutions that enable them to quickly deploy updates when they’re available and also actively encourage their users to only use their managed devices for sensitive communications.”

Javvad Malik, security awareness advocate at KnowBe4, informed Risk Xtra: “Cyber criminals or state actors will typically follow the users. With WhatsApp being such a popular communication tool around the world, it’s no surprise that it would make such an appealing target. It doesn’t appear as if masses of users were victims of this attack. Rather, the vulnerability seems to have been exploited to infect specific individuals in a more targeted attack.”

Malik went on to state: “The worrying thing about this attack was that it needed no interaction from the victim. A WhatsApp phone call would infect the user, even if they didn’t answer it. While there’s not much the average user can do in this situation, for high-profile individuals, or those working with sensitive information, it becomes important to evaluate downloaded apps, and indeed the functionality of a smart phone as a whole. Flaws can exist in every software, but kudos to the WhatsApp team for its rapid turnaround and the swift release of a fix.”

Buffer overflow-style attack

Daniel Follenfant, senior manager for penetration testing and consulting services at NTT Security, observed: “The hacking of WhatsApp’s messaging service is a classic example of a buffer overflow attack. Buffer overflows are not new, but you don’t often see them these days and this attack is particularly clever because it uses this flaw to gain access to a phone without the user even answering. In their simplest form, buffer overflows are a way of writing code to an area of the application in memory that will then be executed. The WhatsApp exploitation resonates the classic, but more sophisticated buffer flow attack. To carry this out, the attacker had to deceive the receiver by making a call and then send the sending packets of data during the process of the call. Once the packet transfers are complete, the packet execution forces WhatsApp’s internal buffer to overflow, overwriting the apps security and allowing surveillance capability on encrypted chats, eavesdropping on calls and microphones and control of the camera.”

Follenfant continued: “There is nothing you can do about this. It’s a design flaw. WhatsApp has quickly addressed the problem by releasing a patch for applications already running and the new versions do not appear to be susceptible. Our advice to users is to check that they’re not running a susceptible application by checking the version number running. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348 and WhatsApp for Tizen prior to v2.18.15. If you’re unable to locate the version or are worried then back-up your messages, completely remove WhatsApp and reinstall from the latest version on the relevant App Store.”

Ubiquitous messaging platform

Carbon Black’s chief cyber security officer, Tom Kellermann, explained: “With approximately 1.5 billion users, WhatsApp is one of the most ubiquitous messaging platforms in the world. Attackers are notorious for remotely installing malicious code by taking advantage of software vulnerabilities. In this case, hackers appeared to have installed surveillance software. If you consider how widely used WhatsApp is, this attack is extremely concerning. Encrypted messaging is not bulletproof. Anyone with WhatsApp installed should upgrade to the latest version of the app as well as update their mobile operating systems. This includes both iPhone and Android users. It will be interesting to see how long this vulnerability was being exploited. Modern attackers are quite adept at flying under the radar and, if a proper security tool for visibility isn’t in place, attackers can run wild across the enterprise.”

Colin Tankard, managing director of data security firm Digital Pathways, highlighted: “The WhatsApp hack is very similar to the Stuxnet worm, which was first uncovered in 2010. The WhatsApp episode seems to allow spy software to attach itself to phones via the call function. It was spread by an advanced cyber actor which infected mobile phones via a vulnerability in the app. The Stuxnet worm targeted SCADA systems and was thought to be responsible for causing substantial damage to Iran’s nuclear programme. It was believed to have been developed jointly by both America and Israel, though neither admitted this. The malware was leaked out into the public arena and caused major damage. The WhatsApp hack seems to me to be another of the Stuxnet type of event. While it was supposedly developed only for Government agencies, as was the Stuxnet hack, it somehow leaked out to the rest of us.”

Tankard added: “These hacks are very hard to detect. The only real chance you have is to employ Advanced Threat Detection software. This will flag up any ‘unusual behaviour’ and immediately stop it, giving the organisation time to review and understand what the attack was and how to solve it. We would urge everyone to take WhatsApp’s advice and update the app immediately.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts