Wired.com
How Hackers Broke WhatsApp With Just a Phone Call
Author: Lily Hay Newman
Security
05.14.19
12:05 I'm
How Hackers Broke WhatsApp With Just a Phone Call
Josep Lago/AFP/Getty Images
Share
You've heard the advice a million times. Don't click links in suspicious emails or texts. Don't download shady apps. But a new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn't need to pick up to be infected, and the calls often left no trace on the phone's log. But how would a hack like that even work in the first place?
WhatsApp, which offers encrypted messaging by default to its 1.5 billion users worldwide, discovered the vulnerability in early May and released a patch for it on Monday. The Facebook-owned company told the FT that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears "all the hallmarks of a private company known to work with governments to deliver spyware." In a statement, NSO Group denied any involvement in selecting or targeting victims but not its role in the creation of the hack itself.
"This does indeed sound like a freak incident."
Bjoern Rupp, CryptoPhone
So-called zero-day bugs, in which attackers find a vulnerability before the company can patch it, happen on every platform. It's part and parcel of software development; the trick is to close those security gaps as quickly as possible. Still, a hack that requires nothing but an incoming phone call seems uniquely challenging—if not impossible—to defend against.
WhatsApp wouldn't elaborate to WIRED about how it discovered the bug or give specifics on how it works, but the company says it is doing infrastructure upgrades in addition to pushing a patch to ensure that customers can't be targeted with other phone-call bugs.
"Remote-exploitable bugs can exist in any application that receives data from untrusted sources," says Karsten Nohl, chief scientist at the German firm Security Research Labs. That includes WhatsApp calls, which use the voice-over-internet protocol to connect users. VoIP applications have to acknowledge incoming calls and notify you about them, even if you don't pick up. "The more complex the data parsing, the more room for error," Nohl says. "In the case of WhatsApp, the protocol for establishing a connection is rather complex, so there is definitely room for exploitable bugs that can be triggered without the other end picking up the call."
VoIP calling services have been around for so long that you'd think any kinks in the basic call connection protocols would be worked out by now. But in practice, every service's implementation is a little bit different. Nohl points out that things get even trickier when you are offering end-to-end encrypted calling, as WhatsApp famously does. While WhatsApp bases its end-to-end encryption on the Signal Protocol, its VoIP calling functionally likely also includes other proprietary code as well. Signal says that its service is not vulnerable to this calling attack.
According to Facebook's security advisory, the WhatsApp vulnerability stemmed from an extremely common type of bug known as a buffer overflow. Apps have a sort of holding pen, called a buffer, to stash extra data. A popular class of attacks strategically overburdens that buffer so the data "overflows" into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control. That's what happened with WhatsApp. The hack exploits the fact that in a VoIP call the system has to be primed for a range of possible inputs from the user: pick up, decline the call, and so on.
"This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days," says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. "Security never was WhatsApp's primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities."
The WhatsApp bug was being exploited to target only a small number of high-profile activists and political dissidents, so most people won't have been affected by any of this in practice. But you should still download the patch on your Android and iOS devices.
"Companies like NSO Group try to keep a little stockpile of things that can be used to get onto devices," says John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab. "This incident makes it abundantly clear that anyone with a phone is impacted by the kind of vulnerabilities that customers of these companies are slinging around. There’s a reality here for all of us."
More Great WIRED Stories
The hacker group on a supply-chain hijacking spree
My search for a boyhood friend led to a dark discovery
LA’s plan to reboot its bus system using cell phone data
The antibiotics business is broken, but there's a fix
Move over, San Andreas: There’s a new fault in town
💻 Upgrade your work game with our Gear team's favorite laptops, keyboards, typing alternatives, and noise-canceling headphones
📩 Want more? Sign up for our daily newsletter and never miss our latest and greatest stories
Related Video
Security
How to Get Started with Encrypted Messaging
It’s time to start using an encrypted messaging app. Why? Using end-to-end encryption means that no one can see what you’re sharing back and forth.
#WhatsApp#hacks#messaging
View Comments
Sponsored Stories
Lily Hay Newman
The CIA Sets Up Shop on Tor, the Anonymous Internet
Tor Ekeland
The Law Being Used to Prosecute Julian Assange Is Broken
Andy Greenberg
The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hands
Lily Hay Newman
What Israel's Strike on Hamas Hackers Means For Cyberwar
Lily Hay Newman
Hacker Lexicon: What Is Application Shielding?
More security
Tech in Two
WhatsApp Was Hacked, Your Computer Was Exposed, and More News
Author: Alex Baker-WhitcombAlex Baker-Whitcomb
cpus
Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs
Author: Andy GreenbergAndy Greenberg
book excerpt
How Tech Helped Unknown Staffers Change the US Way of War
Author: John GansJohn Gans
bad bugs
A Cisco Router Bug Has Massive Global Implications
Author: Lily Hay NewmanLily Hay Newman
security roundup
Robert Mueller Won't Testify Next Week After All
Author: Brian BarrettBrian Barrett
Hacks
Indictment Alleges Who Hacked Anthem, but Not Why
Author: Lily Hay NewmanLily Hay Newman
Get Our Newsletter
WIRED’s biggest stories delivered to your inbox.
submit
Subscribe
Advertise
Site Map
Press Center
FAQ
Accessibility Help
Customer Care
Contact Us
Securedrop
Coupons
Newsletter
Wired Staff
Jobs
RSS
CNMN Collection
© 2018 Condé Nast. All rights reserved.
Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 5/25/18) and Privacy Policy and Cookie Statement (updated 5/25/18). Your California Privacy Rights. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices.
Sent from Samsung tablet.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment