What’s perhaps most concerning is the ease with which this attack was carried out. The attackers were able to eavesdrop on users’ phones by simply placing a special WhatsApp call to the device. The user didn’t even have to answer it.
First Published 21st May 2019
That feeling when the Israelis ghost you right after texting "I love you".
4 min read | Reflare Research Team
Early last week, reports of WhatsApp being targeted by attackers were reported in the media. Since then, more details about the creator of the attack and their motivations for it have surfaced. In this briefing, we will provide you with a summary of the incident and then take a look at an element overlooked in the current coverage - the cost of development and what it means for information security.
What happened?
The Financial Times first reported that attackers were able to eavesdrop on users’ phones by simply placing a special WhatsApp call to the device. The user didn’t even have to answer it. Preliminary investigations by both Facebook (the owner of WhatsApp) and media sources revealed that the attack was developed by Israeli surveillance technology company NSO Group. The company was previously best known for its surveillance suite “Pegasus” which it licenses to government agencies. Facebook has since issued a CVE for the vulnerability and has released updates to mitigate it.
What does the CVE say?
The CVE is short and worth being covered in its entirety.
Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
In plain language this means that a coding mistake in the part of the application that handles calls on the lowest level allowed attackers to execute arbitrary code. Since these low level functions are used even before the user answers the call (they are the sort of functions needed to make the phone ring in the first place), the attack could stay completely hidden - which is what media outlets are reporting.
Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
In short, the current versions of WhatsApp were affected on all major mobile platforms. Notably, there is no mention of the version of the device’s OS or any requirement for it to be jailbroken. We will return to these points in the next segment.
Buffer overflow vulnerabilities in something as complex as VoiP software are - unfortunately - common. A lot of the low-level progress in information security over the past decade has tried to prevent this specific attack.
Who used the attack?
In theory, NSO Group only sells their products to approved law enforcement agencies. These agencies then use the tools as they see fit. A notable example was the arrest of Mexican drug kingpin El Chapo, who was in part captured because the Pegasus surveillance software was used. No further details are available at this point in time. It is however important to note that government agencies in many countries do not require court approval to perform cyber-attacks against non-citizen suspects, and that any tool used without oversight is prone to abuse. At this moment the most poignant example may be the confirmed targeting of a lawyer litigating against NSO group. While it is possible that the lawyer in question was targeted by UK law enforcement for reasons unrelated to the case, the fact that NSO’s tools were effectively used to attack one of their opponents - whether legally or not - creates all sorts of moral issues.
The overlooked cost argument
What struck us when researching this case is the immense cost that such an exploit would entail. Since the attack appears to persist across restarts of the application, these devices have to either be re-infected regularly or the attack must permanently embed itself into the device. Constantly re-infecting devices would require a massive organizational effort and precise timing while incurring a significant risk of detection. Doing so well, would require an immense level of organizational structure, skill and money.
However, the alternative would be even more expensive. All major mobile operating systems use a technology called Sandboxing, where applications run inside a private environment and are prevented from communicating with other software. The contents of this sandbox are verified using cryptographic algorithms, meaning that they cannot be changed.
The process of bypassing these safeguards is commonly known as “Jailbreaking”. While some Android devices can enable “root” mode through specific user actions, most other devices don’t allow direct system access for the user under any circumstances. Quite complicated exploits are required to circumvent all of the device’s protections and gain raw control.
This is where the large number of operating systems and lack of minimum versions comes in. If only a small number of older operating systems were supported, the cost of the attack would be relatively low. After all, jailbreak exploits for - for example - iOS 9 are readily available. However, there seem to be no version requirements for the attack to work. If this is not an oversight (or purposeful omission) on Facebook’s end, this would indicate that NSO Group is in possession of not publicly known jailbreak exploits for the newest versions of all mobile operating systems.
While such vulnerabilities and exploits certainly exist, and while a company specializing in mobile surveillance would be just the kind of company to own them, it is worth it to consider the cost involved: Unknown vulnerabilities that can lead to full system access to the latest versions of mobile operating systems can easily cost millions of US dollars. With a large number of operating systems and versions covered, exploits worth US$50m - US$100m may well be in use.
Of course, there is always a chance that only specific versions of older operating systems are supported and that this information has not yet made it to the public.
What can I do?
As a first step, you should manually update the WhatsApp Application installed on your phone. If you believe that you may have been targeted by the attack, it would also be good practice to perform a factory reset on your device. This is likely - but not guaranteed - to remove all persistent malware.
If you are dealing with very highly classified information and using WhatsApp then a change of Phones would be the only reasonable course of action to rule out that left-over malware puts your information at risk.