What you need to do about the WhatsApp vulnerability

WhatsApp has confirmed that a vulnerability in its app could allow hackers to take control of victims’ phones just by sending an unanswered voice call.

Dozens of WhatsApp users including human rights organisations and a UK-based lawyer may have been targeted in the attack.

The most recent version of WhatsApp was released on 6 May

Political dissidents, human rights defenders, opposition politicians and journalists in 45 countries may have been targeted.

  • WhatsApp has been hacked and attackers have installed spyware on an unknown number of people’s smartphones.
  • Bad actors installed the surveillance technology by phoning the target through WhatsApp’s call functionality, according to the Financial Times, which first spotted the issue.
  • The FT reported that the spyware was developed by Israel’s NSO Group.
  • WhatsApp is urging users to update the app after it was targeted by “an advanced cyber actor.”

WhatsApp was hacked and attackers installed sophisticated spyware on an unknown number of people’s smartphones.

The Facebook subsidiary, which has 1.5 billion users, said an advanced cyber actor infected an unknown number of people’s devices with the malware, which it said it discovered in early May.

The Financial Times first reported the vulnerability. It said the bad actors were able to install the surveillance technology by phoning the target through WhatsApp’s call functionality, giving them access to information including location data and private messages.

The hackers were able to exploit a vulnerability by calling the target via WhatsApp. Even if they didn’t pick up, the malware was able to infect the target.

The FT reported that the spyware was developed by Israel’s NSO Group, whose Pegasus software is known to have been used against human rights activists. The firm denied any involvement in a statement to the FT.

Read moreWhatsApp users are being urged to update the app immediately after it was hacked — here’s how to get protected

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp said in a statement to the FT.

“We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

In a statement sent to Business Insider, a spokesman added: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

A notice on Facebook said the issue impacted both Android, iPhones, and Windows phones. An update was released on Monday that should resolve the issue and users are being urged to update, regardless of whether they have had any suspicious call activity.

Citing a source, the FT reported that the US Department of Justice was notified about the hack last month.

Political dissidents, human rights defenders, opposition politicians and journalists in 45 countries may have been targeted.

The attack was only used against “a select number of users” according to WhatsApp, but it could be adopted more widely unless people update their version of the app.

What do you need to do?

Although it is extremely unlikely that you have been targeted by these hackers, you should update your version of WhatsApp.

On an Android device, you can do this by visiting the Play Store app. Tap menu, before entering the my apps & games section. If you’re not already on the most recent version of WhatsApp you can tap update.

On an iPhone, you can do this by visiting the App Store. Search for WhatsApp. Again, if you’re not already using the most recent version you can tap update.

How can you safeguard against it?

The attack is being considered extraordinary by cyber security professionals.

This is not just because it targeted lawyers, who are not usually national security targets and whose communications with those targets – at least in many common law countries – are privileged.

It has caught their attention because there was no way to safeguard against it – not even by training users to spot the dodgy message.

Often cyber attacks require some kind of user input to succeed, whether the user clicks “allow” or “yes” on a pop-up, or follows a link, or downloads and executes a malicious file in a phishing email under the impression that it is innocent.

However, the WhatsApp attack was what was known as a “no-click” attack, meaning there was no user input needed at all – the hackers could just send the voice call, and even if it was not answered, gain access to the target’s phone.

The only protection is to update the version of WhatsApp.

Is this related to the forwarding limit?

WhatsApp introduced a forwarding limit this year to tackle the spread of fake news.

The current bug has nothing to do with these changes and was caused by a “buffer overflow” vulnerability in the Secure Real-time Transport Protocol (SRTP) used by WhatsApp – essentially a mistake in the way the program handled using computer memory.

It is not known exactly how the exploit worked, but it is believed that malicious code may have been included in the details which are sent to a receiver’s phone when a user makes a WhatsApp call, such as the caller’s name and number.

WhatsApp
Image:The bug is not related to the forwarding limit

Who did this?

WhatsApp stated that “a select number of users” were targeted by an “advanced cyber actor”, which the Financial Times has identified as the Israeli technology company NSO Group.

NSO Group claims its technology, known as Pegasus, is only used by intelligence and law enforcement agencies.

Critics of the firm, including human rights organisations, have claimed that many of the state agencies it works with are repressive and often target their lawyers and activists.

How did it happen?

Organisations involved in the production of hacking tools – known as “dual-use technologies” because they can have both civilian and military uses – often hire security researchers to identify vulnerabilities in popular software and develop tools to exploit them.

Last November, UK intelligence agency GCHQ revealed its process for identifying these vulnerabilities and figuring out whether to inform the company that produces the software to get them fixed or whether to exploit them to hack the computers of national security targets.

The export of these technologies is heavily regulated and Amnesty International is currently taking the Israeli ministry of defence to court to challenge the NSO Group’s export licenses.

A map of countries where victims have been targeted. Pic: Citizen Lab
Image:A map of countries where victims have been targeted. Pic: Citizen Lab

How do you know if this attack has affected your phone?

There is currently no way to tell if this has affected your phone. However, the attack is expensive and it is unlikely – at the moment – to be carried out by commodity criminals.

According to Citizen Lab, software believed to have been developed by NSO Group has been used to target and persecute political dissidents, human rights defenders, opposition politicians and journalists in 45 countries.

https://news.sky.com/story/what-you-need-to-do-about-the-whatsapp-vulnerability-11719552

https://www.businessinsider.com/whatsapp-hacked-attackers-installed-spyware-2019-5?r=US&IR=T



Pin It on Pinterest

Share This