- Get link
- X
- Other Apps
Hackers were able to remotely install surveillance software
on phones and other devices using a major vulnerability in messaging app
WhatsApp, it has been confirmed.
WhatsApp, which is owned by Facebook, said the attack
targeted a "select number" of users, and was orchestrated by "an
advanced cyber actor".
A fix was rolled out on Friday.
On Monday, WhatsApp urged all of its 1.5 billion users to
update their apps as an added precaution.
The attack was developed by Israeli security firm NSO Group,
according to a report in the Financial Times.
The problem was first discovered earlier in May.
WhatsApp promotes itself as a "secure"
communications app because messages are end-to-end encrypted, meaning they
should only be displayed in a legible form on the sender or recipient's device.
However, the surveillance software would have let an
attacker read the messages on the target's device.
"Journalists, lawyers, activists and human rights
defenders" are most likely to have been targeted, said Ahmed Zidan from
the non-profit Committee to Protect Journalists.
How was the security
flaw used?
It involved attackers using WhatsApp's voice calling
function to ring a target's device. Even if the call was not picked up, the
surveillance software would be installed, and, the FT reported, the call would
often disappear from the device's call log.
WhatsApp told the BBC its security team was the first to
identify the flaw, and shared that information with human rights groups,
selected security vendors and the US Department of Justice earlier this month.
"The attack has all the hallmarks of a private company
reportedly that works with governments to deliver spyware that takes over the
functions of mobile phone operating systems,” the company said on Monday in a
briefing document note for journalists.
What is encryption?
The firm also published an advisory to security specialists,
in which it described the flaw as: "A buffer overflow vulnerability in
WhatsApp VOIP [voice over internet protocol] stack allowed remote code
execution via specially crafted series of SRTCP [secure real-time transport
protocol] packets sent to a target phone number.”
Prof Alan Woodward from the University of Surrey said it was
a "pretty old-fashioned" method of attack.
"In a buffer overflow, an app is allocated more memory
than it actually needs, so it has space left in the memory. If you are able to
pass some code through the app, you can run your own code in that area,"
he explained.
"In VOIP there is an initial process that dials up and
establishes the call, and the flaw was in that bit. Consequently you did not
need to answer the call for the attack to work."
Some users of the app have questioned why the app store
notes associated with the latest update are not explicit about the fix.
Who is behind the
software?
The NSO Group is an Israeli company that has been referred
to in the past as a "cyber-arms dealer".
While some cyber-security companies report the flaws they
find so that they can be fixed, others keep problems to themselves so they can
be exploited or sold to law enforcement.
The NSO Group is part-owned by the London-based private
equity firm Novalpina Capital, which acquired a stake in February.
NSO's flagship software, Pegasus, has the ability to collect
intimate data from a target device, including capturing data through the
microphone and camera, and gathering location data.
In a statement, the group said: "NSO's technology is
licensed to authorised government agencies for the sole purpose of fighting
crime and terror.
"The company does not operate the system, and after a
rigorous licensing and vetting process, intelligence and law enforcement
determine how to use the technology to support their public safety missions. We
investigate any credible allegations of misuse and if necessary, we take
action, including shutting down the system.
"Under no circumstances would NSO be involved in the
operating or identifying of targets of its technology, which is solely operated
by intelligence and law enforcement agencies. NSO would not or could not use
its technology in its own right to target any person or organisation."
Who has been targeted?
WhatsApp said it was too early to know how many users had
been affected by the vulnerability, although it added that suspected attacks
were highly-targeted.
Amnesty International - which said it had been targeted by
tools created by the NSO Group in the past - said this attack was one human
rights groups had long feared was possible.
"They're able to infect your phone without you actually
taking an action," said Danna Ingleton, deputy programme director for
Amnesty Tech. She said there was mounting evidence that the tools were being
used by regimes to keep prominent activists and journalists under surveillance.
"There needs to be some accountability for this, it
can't just continue to be a wild west, secretive industry."
On Tuesday, a Tel Aviv court will hear a petition led by
Amnesty International that calls for Israel's Ministry of Defence to revoke the
NSO Group's licence to export its products.
What are the
unanswered questions?
How many people were targeted? WhatsApp says it is too early
in its investigation to say how many people were targeted, or how long the flaw
was present in the app
Does updating WhatsApp remove the spyware? WhatsApp has not
said whether updating to the latest version of the app removes any spyware that
has already infected a compromised device
What could the spyware do? WhatsApp has not said whether the
attack could extend beyond the confines of WhatsApp, reaching further into a
device and accessing emails, photos and more
"Using an app as an attack route is limited on iOS as
they run apps in very tightly controlled sandboxes," said Prof Woodward.
"We're all assuming that the attack was just a corruption of WhatsApp but
analysis is still ongoing.
"The nightmare scenario would be if you could get
something much more capable onto the device without the user having to do
anything," he said.
The BBC has asked WhatsApp for clarification.
Comments
Post a Comment