WhatsApp has patched a severe weakness in its software for both iOS and Android that some actors have been using in highly targeted attacks with an exploit that requires no interaction from the victim.
It’s not clear exactly how long the vulnerability has been present, but researchers at WhatsApp recently discovered it and set about it fixing it. But some attackers had been exploiting the vulnerability an unknown amount of time, targeting a small number of victims, according to reports. The attacks against the vulnerability were part of attempts to install a spyware tool on victims’ phones, reportedly the Pegasus software sold by Israeli firm NSO Group. That firm sells its system to law enforcement and intelligence agencies and the Pegasus spyware has been linked to compromises of devices owned by journalists, dissidents, and human rights activists in a number of countries.
The vulnerability itself can be exploited without any actions from the victim, and reports say that the known exploit attempts have used voice calls to the victim’s device as the exploit vector. Victims do not need to answer the call in order for the exploit to work.
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number,” the advisory from Facebook, which owns WhatsApp, says.
There are fixed versions of WhatsApp available for iOS and Android, and security experts are recommending that users install the fix as soon as possible. The vulnerability is quite serious, and it is the kind that is used in targeted attacks by advanced actors, typically intelligence agencies and law enforcement organizations. The victims in such attacks often have no indication that their devices have been compromised and the kind of powerful spyware tools used in these operations typically give operators the ability to monitor voice, text, and other apps remotely.
Platforms such as WhatsApp, Signal, iMessage, and others that offer secure, encrypted messaging or voice communications have become prime targets for high-level attackers. Many people rely on these platforms for secure, private communications, including reporters, dissidents, abuse victims, and others. Criminal groups and terror organizations are also known to use such tools, so vulnerabilities in those platforms are extremely valuable for law enforcement agencies seeking to keep tabs on suspects.
Those vulnerabilities are also highly prized because of their scarcity. Apple’s iOS is considered one of the more difficult platforms to exploit and Signal and WhatsApp vulnerabilities are valuable, as well. Zerodium, a firm that buys vulnerabilities from researchers, pays up to $1 million for remote code execution bugs in iMessage and WhatsApp and up to $500,000 for such flaws in Signal.
"Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.”
“Unfortunately, so called ‘0-click’ exploits are more common than it appears on the press, and blaming WhatsApp for this security flaw is shortsighted, as we can surely expect competitor apps to be equally targeted and most likely already exploited,” Claudio Guarnieri, a security researcher who has tracked surveillance technology makers closely and now works for Amnesty International, said in a newsletter article Tuesday.
Human rights organizations and other groups have been highly critical of the use of these tools to target journalists, activists, and others, as well as of the software makers themselves. Regulation of the sale and export of advanced surveillance tools varies widely by country, and while there are several well-known sellers of these systems, there are many more that haven’t yet attracted widespread media or research attention.
Security researchers track the sellers of these systems closely, but one of their challenges in this work is discovering compromises and infected devices. While the number of known victims of these operations is usually quite small, the population of unknown victims is more worrisome to researchers.
“The amount of documented cases of targeting of journalists and human rights defenders using NSO Group's products and services is evergrowing. And although we expect more to come to light in the future, all that we know so far is most likely a small fraction of the whole. Attacking and infecting mobile devices is a difficult, but not impossible, task because of the many security mitigations and lockdowns baked into mobile platforms, such as Android and even more so iOS. However, these security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology,” Guarnieri said.
“Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted. Last August, for example, we discovered one of our Amnesty staff members was targeted with Pegasus but whether others were too is not possible for us to confirm. Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.”
CC By 2.0 image from Tim Reckman.