You'll probably be aware that last week, WhatsApp was at the center of a storm of controversy following the exposure of a major vulnerability in the messaging app.
The security flaw in question leverages what’s known as a ‘buffer overflow’ to give an attacker the ability to install spyware on the target device, and subsequently gain access to a vast swathe of personal data; calls, texts, photos, location and other data on the handset, along with the possibility of activating the phone’s camera and microphone for real-time surveillance activities.
This attack reportedly utilizes spyware known as Pegasus – more on that shortly – which allows your phone could be infected via a simple WhatsApp call, that even more disturbingly, doesn't even need to be answered.
Just the call being placed is enough, and having gained access to the device, the attacker can alter call logs to hide their malicious activity.
The good news (relatively speaking) is that WhatsApp has already patched this security hole. The bad news is that many people still haven’t updated to the fixed version of the app.
From a broader perspective, this incident also prompts us to consider whether encrypted messaging services like WhatsApp can ever be secure enough to truly protect our personal communications and data.
- One of our best VPNs can help you stay secure online
- Also check out the best ways to share files securely
- Get access to WhatsApp when in China with this guide
Pegasus and NSO Group
First off, let’s break this attack down in a little more detail. How it works is the hacker alters packets of data sent in a voice call to the victim, causing an internal buffer in the WhatsApp application to overflow (hence the name ‘buffer overflow’ attack), overwriting parts of the memory, and thus sidestepping the app’s security, allowing the hacker access to the phone.
That access is then used to install spyware, which allegedly is the Pegasus spyware produced by NSO Group, according to the Financial Times. Note that it’s not clear if this is actually the case yet, and NSO is currently investigating the matter.
Furthermore, as TechCrunch observes, even if it is Pegasus being used here, NSO itself isn’t behind any attacks, but rather the customer who bought the software from the group.
NSO further stresses it employs a ‘rigorous’ licensing and vetting procedure, and investigates “any credible allegations of misuse and if necessary, we take action, including shutting down the system”.
If Pegasus is new to you, NSO sells the spyware as a countermeasure to combat terrorism and crime. The company explains: “We provide the tools that support official authorities to lawfully address the most dangerous issues in today’s world. Governments use our products to prevent terrorism, break up criminal operations, find missing persons, and assist search and rescue teams.”
When ‘good’ spyware goes bad
In theory, Pegasus is used to compromise the devices of terrorists and law-breakers, facilitating surveillance to keep the world a safer place. There are similar tools to Pegasus out there which leverage vulnerabilities or backdoors, too, but the problem is, such spyware software always has the potential to be abused.
Oppressive regimes can potentially use powerful spyware to police citizens, and perhaps root out dissidents, spy on political opponents, or human rights activists – the sky’s the limit when it comes to how this spyware can be abused (or perhaps the bowels of hell would be a more appropriate limit, seeing as we’re gazing in a downwards direction in this case).
And while there have been alleged major successes for Pegasus, such as the arrest of Mexican drug lord Joaquín Guzmán, there’s also plenty of negative press flying around (and indeed that’s the case for other state-used spyware). For example, back in mid-2016, we reported on Pegasus being used to target Emirati human rights activist Ahmed Mansoor.
At the end of 2018, a Saudi dissident filed a lawsuit aimed at Pegasus alleging it was used against murdered journalist Jamal Khashoggi, and Amnesty International has just filed a suit claiming that there are an “abundance of reports pointing to governments’ deployment of the Pegasus spyware platform to surveil human rights defenders”.
Naturally, this is all food for serious thought – and while it’s certainly worrying in terms of the bigger picture, what about the smaller one? Should the WhatsApp incident give the average person any cause for concern going forward when it comes to the safety of their personal data when using WhatsApp or similar messaging services?
Can encrypted messaging services ever be truly secure?
This question may be weighing on your mind following the revelation of WhatsApp’s security flaw.
WhatsApp offers end-to-end encryption, which makes users feel safe and secure. As the company explains on its website, “just like your messages, WhatsApp calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them.”
And that’s true – every message or call is uniquely and seamlessly encrypted so the content can’t be read or heard by anyone but the sender/caller and the recipient.
However, that encryption means nothing if the actual software itself carries a vulnerability that can be exploited to install spyware that effectively cracks the entire device open, which is what happened with WhatsApp.
So more broadly, the question is: can software ever be truly secure? It’s obviously impossible to give any guarantees on that front, so the short answer is no; not really.
Etienne Greeff, CTO and co-founder of SecureData, told us: “Underlying operating systems may appear to be very secure, like iOS, but the whole ecosystem including all the apps on the operating system is so complex and convoluted it becomes very difficult to have complete security. Also, few of the alleged zero-day security tools used to secure these complex systems would have been effective.”
We asked Greeff to elaborate a little on why the mentioned zero-day security tools – meaning typical antivirus/security apps – would have been ineffective. He explained: “The memory space of Android is such that no other process can access memory from other processes, so at best these tools check that they themselves are not a virus…in the case of the WhatsApp issue, this exploited a feature within an application which would have been opaque to other alleged security tools, due to the memory restriction.”
Daniel Follenfant, Senior Manager Penetration Testing, Consulting Services NTT Security, stressed that keeping apps secure is a constant battle, and if they were watertight full-stop, we obviously wouldn’t need to be continually updating them with security patches.
Follenfant noted that, “any user of Windows will have seen patches coming through all the time, but we continue to have faith that they will watch for security vulnerabilities and fix them, just as WhatsApp did".
“We do need to keep faith that vendors will be monitoring and looking at such vulnerabilities, these days the competition and turnover of applications means that if you (as a vendor) are not seen to take positive action you will lose your users and they will move on.”
Clearly, companies promising protection for your sensitive data like WhatsApp should be at the cutting-edge of security, and must move quickly to minimize any damage caused by a security hole, with swift remedial patches, as was the case here.
The other (relatively) more positive news is when it comes to potential damage, we have to bear in mind that the WhatsApp attack was not some scattergun-type campaign spread all over the place as much malware tends to be. We’re talking about targeted, cherry-picked victims being hit by a sophisticated attack, including lawyers and journalists.
As The Guardian reports, thus far, known targets include a UK-based human rights lawyer and a researcher for Amnesty International.
So the likelihood is that, unless your job runs along such lines, and involves sensitive or potentially interesting data, you probably weren’t targeted. By all accounts, only a small number of people were affected anyway, and while the exact number is unknown, it’s a figure that’s "at least in the dozens" according to a WhatsApp spokesperson.
There’s no way to be certain that your account wasn’t compromised, but do remember that if you didn’t get a WhatsApp voice call from an unknown number (or a dropped call), you’re probably in the clear.
Even if you’re not likely to have been personally affected, though, the prospect of such a deeply invasive piece of spyware being delivered via a secure messaging app is still a very worrying one. And the trouble is, popular encrypted messaging services like WhatsApp – which has 1.5 billion users – represent such a big and juicy target for highly motivated parties with deep pockets.
So these sort of services will inevitably be probed for vulnerabilities by clever and resourceful hackers, who if they find an exploit, could be able to leverage it to deliver some form of sophisticated spyware that packs powerful surveillance functionality and the ability to stealthily operate on the victim’s device.
Etienne Greeff further observe that the WhatsApp incident "shows the effects of very deep state pockets on everyday people."
"The NSO Group exists because governments and state agencies have the ability to pay six figure sums for zero days which they can use for their own policy aims. The reality is that this affects everyday people and does spill over into civilian life as we saw with Khashoggi and others.”
What can you do to keep your data safe?
As ever, you must always keep your operating system fully updated, as well as all installed applications. In this case, the WhatsApp application was swiftly patched to make it secure, but it’s vulnerable to the security flaw unless you are running at least version 2.19.134 on Android, or version 2.19.51 on iOS. (Read our guide on how to update WhatsApp, if you're not sure how to do this.)
What’s worrying is, despite the gravity of this incident, many people still haven’t updated WhatsApp – as of May17, a staggering 80% of iOS devices hadn't been updated according to security firm Wandera, citing data about its customers’ phones.
So whatever you do, when it comes to all your applications, make sure they are constantly up-to-date and running the latest version.
Beyond that, it pays to use your common sense when it comes to sensitive material, – if you don’t have to share it over an online messaging service, then don’t.
With this incident specifically, we’ve also learned to be wary of mysterious missed calls, as well as all the usual fodder – suspect-looking links, dodgy attachments, and so on.
As another general precaution, Daniel Follenfant further reminds us to avoid password reuse.
“One thing that should always be considered is the use of the same password on everything. For example, if you use a forum for fishing that you log into and you use the same password for Amazon, an attacker wouldn’t go after Amazon. They would target the less secure forum."
“When you get notified that the forum was breached, you may dismiss it as ‘it’s only the fishing forum’. However, the attacker can then try your details on Amazon and gain access to your account. In an ideal world all credentials should have a unique password.”
And one easy way to achieve this, of course, is by using a password manager.
Failing all that, you could always keep your phone in a fridge, like Edward Snowden famously insisted some lawyers did when he met with them in Hong Kong back in 2013.
Despite from bringing a new meaning to the term ‘frosty reception’, Snowden's strange behavior had nothing to do with the cold, but rather the properties of the fridge walls. Made of metal with thick insulation, the fridge made the perfect solution for blocking radio signals and thus any potential surveillance from a compromised smartphone.
An extreme measure, for sure, but an interesting glimpse of the sort of lengths a big target like Snowden might go to in order to try and maintain their security.
Given the speed at which hacking and covert device surveillance seems to be progressing these days, even everyday folks might be forgiven for considering more radical countermeasures in a bid to keep their communications and data as secure as they can possibly be.