[BreachExchange] A serious hack hit WhatsApp. You should update your app right now

Destry Winant destry at riskbasedsecurity.com
Tue May 14 09:11:16 EDT 2019


https://www.wired.co.uk/article/whats-app-hacked

WhatsApp's default end-to-end encryption is one of Facebook's biggest
security assets – but even this doesn't help when the app itself is
attacked. Mark Zuckerberg's company has found a sophisticated
cyberattack has been used to exploit a weakness in the messaging app
that's used by more than 1.5 billion people worldwide.

In early May security engineers at the company found a software flaw
in the audio call function of WhatsApp. The issue meant that phone
calls made to both Android and iPhone versions of WhatsApp could allow
malicious software, which conducts surveillance on a user's behaviour,
to be installed.

Bugs in the coding of software crop up all the time, but this is
different. What makes this case particularly alarming is WhatsApp
believes it is more than just some problematic language within its
app. The security vulnerability appears to have been actively
exploited and used as a method of surveillance.

“This attack has all the hallmarks of a private company known to work
with governments to deliver spyware that reportedly takes over the
functions of mobile phone operating systems,” a WhatsApp person said
in a statement. The Financial Times, which first broke the story, says
the software comes from Israeli firm NSO Group. The company is
well-known for creating phone hacking technology.

It is reported a London-based lawyer behind lawsuits against NSO,
Mexican journalists and activists, a Saudi dissident, and a Qatari
citizen had spyware installed on their phones using the method. It is
unknown who carried out the attack. A NSO spokesperson said its
technology is used by intelligence and law enforcement agencies around
the world and the company itself "would not, or could not, use its
technology in its own right to target any person or organisation."

“We have briefed a number of human rights organisations to share the
information we can, and to work with them to notify civil society,” a
WhatsApp spokesperson said. At this stage of its internal
investigation the company has not revealed how many people may have
been impacted. Because the attack is aimed at individual phone
numbers, it is likely that it may have been used to target specific
individuals and not as part of an indiscriminately attack en masse.

However, installing spyware on phones is highly intrusive and even if
it was successful in a small number of cases it is likely to have
provided an attacker with huge amounts of information. Spyware
software can record and access everything that is done on a mobile
phone, before sending the data back to the attacker. Because spyware
operates on a handset, it is able to see the end-to-end encrypted
messages, such as those sent through WhatsApp, as it has direct access
to what is happening on the device.

WhatsApp says its engineers have been working solidly to fix the flaw
since it was discovered. It has detailed the issue in a short security
posting. It says the vulnerability in its VoIP calling software
allowed code to be remotely executed on a device. The attack could be
successful even if phone calls made to a phone were not answered.

How to update WhatsApp to the latest version

So what can you do? The most important step you can take to make sure
your phone can't be compromised through this WhatsApp attack is to
update the version of the app that's running on your device.

READ NEXT

Tuesday briefing: Triton malware penetrated critical Saudi Arabian
infrastructure

Tuesday briefing: Triton malware penetrated critical Saudi Arabian
infrastructure

________________________________

By WIRED

Facebook has released an updated version of its app for Android and
iOS – it will stop the attack from being run and disable it if it has
already been executed. The company says Android versions of its app
before v2.19.134 were impacted and iOS versions before v2.19.51 could
be exploited. The attack also worked on Windows Phone and Tizen
versions of WhatsApp.

On Android to update WhatsApp you need to visit the Play Store, tap
menu, enter the apps and games section then select the update option
next to the app. Similarly on an iPhone or iPad, visit Apple's App
Store, go into the updates section and then tap next to the WhatsApp
icon to get the latest version of the app. It's a simple fix that will
take a few minutes to download and while you are in the app stores,
make sure to update any other apps that have new versions.

While it won't do anything to protect against this attack, there are
some other basic WhatsApp security protocols that can be managed to
help keep your account more secure. WhatsApp gives the option of
allowing conversation back-ups to the cloud service of your choice –
iCloud and Google Drive are options. While these may be useful for
looking back at your old messages in the future, they don't have the
same protection as the end-to-end encrypted versions of the messages.

Chat logs stored on cloud services are still encrypted but because
they're being stored by external companies, it's possible for police
or law enforcement agencies to request copies of the data from the
third-party hosts. It's possible they could then be decrypted.
Investigators in the US Mueller inquiry used the method to access chat
logs. Back-ups can be turned off in WhatsApp's settings.

It's also possible to use two-factor authentication on WhatsApp.
Turning the setting on will periodically require you to enter a
verification code, which is set by the user, before you can access
chats in WhatsApp. Although it won't stop spyware from getting at the
information on your device, two-factor authentication can help to stop
your WhatsApp chats being accessed if your phone is stolen or lost.


More information about the BreachExchange mailing list