WhatsApp users are being urged to install an update after a vulnerability was found in the app that could have allowed users’ phones to have been compromised.
In a security advisory, WhatsApp stated that a buffer overflow vulnerability in WhatsApp VOIP stack had allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number.
The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348 and WhatsApp for Tizen prior to v2.18.15.
Updates have been made available and WhatsApp users are being advised to install these as soon as possible.
The UK’s National Cyber Security Centre (NCSC) has said it always recommends that updates are installed as soon as they become available. They contain vital security updates to help protect laptops, smartphones or tablets.
The NCSC said: “It’s important to apply these updates quickly, to make it as hard as possible for attackers to get in. The NCSC also recommends that you switch on automatic updates.”
Other industry experts have commented on the news:
Adam Brown, Manager of Security Solutions at Synopsys
This is an exploit of a bug in software WhatsApp is built on that has a real-world impact. Victims of this attack include journalists and activists; attackers are able to use the victim’s phone as a room tap, look at or change information on the phone and find the victim’s location, among other things.
The compromise is possible because applications, including WhatsApp, use many third-party components; WhatsApp has ‘libssh’ in its inventory as do many others. Because of a bug in the version of ‘libssh’ (an open source client side C library implementing the SSH2 protocol) attackers are able to run their code on the victim’s phone.
Its best practice for software companies to know what’s in their bill of materials that make up their software and to compare that with known vulnerable versions of software components. By doing so, this kind of vulnerability can be avoided.
Leigh-Anne Galloway, Cyber Security Resilience Lead, Positive Technologies
Almost all applications contain some form of vulnerability and when those applications are as popular as WhatsApp, those flaws will be hunted out with far more vigour than others. That doesn’t negate the fact that this is going to be incredibly concerning for the general public and it returns us to the subject of Facebook. Facebook has been proven to have less than a concrete grip on privacy and security, so this will only add fuel to the fire.
It is worth remembering that WhatsApp is an Internet application and with that comes risks of hacking, so the usual advice stands – don’t share anything on it that you wouldn’t want to be seen or appear in public. Everyone should take the advice of WhatsApp and update their applications immediately. If required, they should also update their phone’s operating system as doing so can help protect against other security flaws – and its good practice to do so as soon as updates become available.
Assaf Dahan, Senior Director, Head of Threat Research at Cybereason
The risk is that once the spyware is installed on the victim’s phone, the attackers gain complete access to all of the information on that phone (such as geo-location, contacts, messages, mail and other data). In simple words, they can monitor everything the victim is doing, therefore complete violation of privacy.
Potentially any WhatsApp user can be vulnerable to this attack. This zero day does not require any interaction from the user and therefore is very difficult if not impossible to avoid.
Since this zero day is attributed by the researchers to the NSO Group, it’s likely used surgically, only against specific people of interest and not as a mass infection payload.
Assuming that the latest version published by WhatsApp fixes the buffer overflow vulnerability, users who install the latest version will be protected.
That being said, there might be other zero days exploits in the attackers’ arsenal that haven’t been discovered yet, that might be used against WhatsApp or other mobile apps.
Winston Bond, EMEA Senior Technical Director at Arxan
The attack on WhatsApp is based on using a bug in the code to give the attackers control over what it does. It takes a lot of research and reverse engineering to create an attack like that. Nothing will stop bugs, but app hardening would have made that research phase much harder and could have given Facebook a heads-up that someone was tinkering with their app.
Unfortunately, too many consumer-facing apps are published without any serious protection against reverse engineering. It’s time that changed.
Ed Macnair, CEO of CensorNet
WhatsApp has over 1.5 billion users globally, so the news that it had such a massive vulnerability is going to unsettle plenty of people. And rightly so, as the details of this cyberattack, where spyware is being injected onto users’ devices via the app’s call function, is particularly unnerving.
The attacks appear to have been specifically targeted but this doesn’t mean that the rest of civil society shouldn’t be worried that such an extensive vulnerability was present in the app.
There’s been a blurring of lines between what we might consider consumer tech and enterprise tech. WhatsApp started its life firmly in the consumer corner but has since been adopted by employees and organisations as an easy way to communicate. What we now have is an excellent example of why that can be a problem.
WhatsApp has instructed users to update the app to a version that has fixed the vulnerability in the infrastructure which allowed this to happen. Businesses must remember that, whether they know it or not, WhatsApp is being used on corporate devices and they also need updating.
Andrew Tsonchev, Director of Technology, Darktrace Industrial
This was a highly sophisticated attack that targeted a select group. The attack was also very stealthy, given that it required no user input (a no click attack) and allowed hackers to access target devices discreetly. It challenges our expectations of which platforms are secure and which are not.
The reality is that no software application, even WhatsApp, is invulnerable. Software vulnerabilities are a fact of life and as an organisation, you are only as strong as your weakest link. Users can do very little to protect themselves against this but should certainly update their app; the vulnerability has been patched, but there will be others. However, it is very unlikely that consumers were affected as hacker resources are limited.
Companies need continuous and proactive security monitoring to identify abnormal behaviours and avoid finding out about these attacks ‘by chance.’ Technologies like AI can deliver this at the scale required and defend against tomorrow’s attacks, which won’t be the same as yesterday’s as hackers are always innovating. The battle will continue – and we need to get better at defence.
Click below to share this article
