The Chilling WhatsApp VoIP Hack
On 13 May 2019, the Financial Times reported a highly targeted attack against a UK human rights’ attorney currently involved in a lawsuit against the NSO Group. Bad actors utilized a buffer flow vulnerability in WhatsApp’s proprietary VoIP implementation that could allow them to install the NSO Group’s Pegasus spyware without the user even answering the call. The attacker remains unidentified.
Download NOW our Free Whitepaper
This is chilling.
For years, cybersecurity best practices have recommended employee training in recognizing spoofed messages and phishing attacks as one of the best ways of protecting yourself and your company. However, training cannot prevent a scenario like this one. The only way this attorney and his clients could have protected themselves was not to use WhatsApp.
On the surface, WhatsApp offers everything you need. It’s end-to-end encrypted, allows group chats, and — best of all for activists operating on a shoe-string budget — free. However, we often forget that there’s no free lunch.
Every app developer makes trade-offs. Some choose security, others usability, and still others marketability and ad revenues. They create a list of what’s most important for their company and their user base and develop accordingly. Due to this, consumer applications like WhatsApp often trade security for usability because their goal is to grow their user base.
With WhatsApp, we find these trade-offs particularly concerning because they have built their reputation on privacy and the security of end-to-end encryption. However, their past behavior does not indicate that their business model puts security first.
In April 2016, Tobias Boelter, a Ph.D. student at the University of California, Berkley, reported a possible WhatsApp security vulnerability to its parent company Facebook. In theory, this could allow a third-party to intercept and read an encrypted message. On 13 January 2017, The Guardian mischaracterized this vulnerability as a backdoor and the Internet exploded. They later amended the article.
However, in the days that followed, a disturbing narrative emerged. The reported security vulnerability was a feature. It helped users continue WhatsApp conversations when they swapped phones, ran out of battery power, or loss coverage. Incidentally, it’s also a well-known encrypted messaging system exploit, but using it requires an insider at Facebook or WhatsApp.
Fast-forward to July 2017 when a group of researchers from Germany’s Ruhr University Bochum reported a WhatsApp group invitation bug. According to them, a spoofed group invitation invite could allow an unauthorized individual to access group messages. In January 2018, they discussed this vulnerability in a paper presented at the Real World Crypto Security Conference. WhatsApp confirmed the bug exists, but they claimed it didn’t matter because they notify members whenever a new person joins their group.
These two cases point to a disturbing pattern. Yes, WhatsApp and their parent company Facebook know that a security vulnerability exists. However, they will not address the “theoretical vulnerability” because it either makes their product more consumer friendly or because they consider it your problem, not theirs.
A conspiracy theorist would look at WhatsApp’s previous behavior and the recently reported NSO exploit and wonder whether they previously dismissed reports about a “buffer overflow vulnerability.”
We are security experts, not conspiracy theorists. Based on the evidence, WhatsApp’s first concern is usability, not security.
Their platform brought enhanced messaging features to the masses, filling a niche ignored by traditional mobile operators. However, their usability-first mentality combined with their parent company’s questionable business practices and concerns over WhatsApp’s compliance with GDPR and other national and industry-specific data protection regimes make WhatsApp inappropriate for sensitive business and government communications and collaborations.
However, this is also yet another cautionary tale about the NSO Group and their commercialized cyberweapons. While we commend WhatsApp for their prompt response, the fact remains that their VoIP implementation potentially put a human rights lawyer and his clients, including journalists, government critics, and dissidents, at risk.
At the same time, we recognize that WhatsApp is only the most recent victim. Past Pegasus attacks have used anything that could receive a text link. This time they carried out a highly targeted attack via VoIP. No user interaction is necessary.
How can you protect your company from similar exploits?
No application is 100% secure. We are all vulnerable. However, some applications are less vulnerable than others because they employ security by design. With business and government communications and collaborations applications like ours, security always comes first.
Adopt a security-first mindset in your workplace.
- Vet all applications used on a device within your workplace and prohibit consumer applications like WhatsApp on these devices.
- Continue teaching your employees about the risks associated with unapproved apps, as well as clicking on links and how to identify phishing attacks. Don’t ignore these older and more common attack vectors.
- Make operating system security patches mandatory.
Call us at (+41) 22 566 14 80 and let’s put security first in your digital workplace.