Human rights lawyer targeted using WhatsApp
May 14, 2019 11:28 AM   Subscribe

The Facebook-owned WhatApp messaging app was exploited to spy on a human rights lawyer (NY Times). Coverage in Wired and TechCrunch.

The app was used to install spyware that appears to be the work of the NSO Group, a company with a history of targeting human rights activists.

As reported in the Times, the "WhatsApp hole was used to target a London lawyer who has been involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists ... the list of targets could be much longer."

WhatsApp users are encouraged to update to a new version of the app that purports to fix the security flaw (though the release notes are silent about this).

Signal is an alternative app for secure messaging.
posted by exogenous (25 comments total) 18 users marked this as a favorite
 
Buffer overflow attacks are so common and so persistent in security. And once found and exploited, there's nothing to do about them except patch and update.

I attended the big RSA security conference recently and on the vendor floor, Israeli security firms and indeed the state of Israel itself pretty much dominated.
posted by kalessin at 11:32 AM on May 14 [3 favorites]




Buffer overflow attacks are so common and so persistent in security. And once found and exploited, there's nothing to do about them except patch and update.

From the Wired coverage:
... a new Financial Times report (paywalled?) alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn't need to pick up to be infected, and the calls often left no trace on the phone's log.
...
According to Facebook's security advisory, the WhatsApp vulnerability stemmed from an extremely common type of bug known as a buffer overflow. Apps have a sort of holding pen, called a buffer, to stash extra data. A popular class of attacks strategically overburdens that buffer so the data "overflows" into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control. That's what happened with WhatsApp. The hack exploits the fact that in a VoIP call the system has to be primed for a range of possible inputs from the user: pick up, decline the call, and so on.

"This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days," says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. "Security never was WhatsApp's primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities."
...
While WhatsApp bases its end-to-end encryption on the Signal Protocol, its VoIP calling functionally likely also includes other proprietary code as well. Signal says that its service is not vulnerable to this calling attack.
posted by filthy light thief at 12:22 PM on May 14


I attended the big RSA security conference recently and on the vendor floor, Israeli security firms and indeed the state of Israel itself pretty much dominated.

What's the significance of that, that you felt it noteworthy in the context of this post?
posted by asterix at 12:33 PM on May 14


It's unclear to me whether or not this allowed the exploit to escape the WhatsApp sandbox. and I'm not sure how many sandbox exploits there are likely to be in Android itself. Seems like a factory reset might be in order for any device that's had WhatsApp running on it.
posted by straw at 12:36 PM on May 14


Signal has previously been compromised, according to the Electronic Frontier Foundation in January 2018:
The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more. [...]

The researchers believe that Dark Caracal is only one of a number of different global attackers using this infrastructure. Over the years, Dark Caracal’s work has been repeatedly misattributed to other cybercrime groups.
However, the Electronic Frontier Foundation does publish How to: Use Signal for Android and How to: Use Signal on iOS
posted by Little Dawn at 12:44 PM on May 14 [2 favorites]


What's the significance of that, that you felt it noteworthy in the context of this post?

Uh, the post is about an Israeli security firm using an exploit to help others spy on journalists and activists. How much more noteworthy could it be?
posted by sideshow at 12:50 PM on May 14 [16 favorites]


What's the significance of that, that you felt it noteworthy in the context of this post?

The NSO Group, the organization responsible for this hack, is Israeli.
posted by Mr.Encyclopedia at 12:51 PM on May 14 [4 favorites]


What's the significance of that, that you felt it noteworthy in the context of this post?

As noted by the Guardian: WhatsApp Urges Users to Update App after Discovering Spyware Vulnerability
The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.
In related news: WhatsApp Hack: Have I Been Affected and What Should I Do? (Guardian)
posted by Little Dawn at 12:52 PM on May 14 [1 favorite]


Little Dawn, that EFF report is about malicious apps masquerading as Signal (and other secure messaging services). The EFF themselves explain:
Dark Caracal does not mean that Signal or WhatsApp themselves are compromised in any way. [..] If you downloaded your apps from Google’s official app store, Google Play, then you are almost certainly in the clear.
The danger is if you install an app from an untrusted source, which is claims to be from a legitimate developer but is actually malware. Among other things, this requires the victim (or someone with physical access to their phone) to actively disable Android or iOS's default security measures. There's no way for developers of Signal or WhatsApp to prevent this sort of attack, since it happens without any involvement from their apps or services. The only connection to Signal was that the attacker gave their malware the same name as Signal, in order to trick the victims.
posted by mbrubeck at 12:54 PM on May 14 [7 favorites]


mbrubeck, I appreciate the clarification, and I'm glad I also pointed out EFF's resources for installing legitimate Signal Apps.
posted by Little Dawn at 1:00 PM on May 14


Worth noting, we have two things being discussed here:

1) The original subject of the post, which is part of the WhatsApp stack getting exploited by an Israeli security firm called The NSO Group. This is WhatsApps fault, in the sense that the buck stops with them with whatever technologies they buy to use for the VoIP stuff. This exploit can happen on Android or iPhone, possibly.

2). The subject of the post from Little Dawn, which is fake apps that pretend to be WhatsApp, but are in fact trojans. These would not be WhatsApp's fault, and can only happen on Android (although people like Elizabeth Warren would like to change this) since in that ecosystem you don't have the use the official Google App Store, so who knows what fuck you are downloading, and its up to you to know and you fault if all your nudes get sent to China or whatever (caveat emptor). With iPhone, you aren't going to get fake apps since the real store is the only place you get them (processes like sideloading, aside).

Anyway, #1 is news, #2 is an old thing from last year I believe. Also, #2 is kind of an ongoing thing with many apps since with Android its possible to just get them from anywhere.
posted by sideshow at 1:09 PM on May 14 [4 favorites]


Uh, the post is about an Israeli security firm using an exploit to help others spy on journalists and activists. How much more noteworthy could it be?

Is the implication that all Israeli security firms are engaged in this sort of behavior? Or that they're more likely to be?

Given the rise of global anti-Semitism lately and specifically the way that people from all sides of the political spectrum slide back and forth between "Israel" and "Jews" possibly I'm more sensitive to implications (intended or unintended) here than I would be otherwise. But I also think that makes it more worthwhile to be explicit about what you mean.
posted by asterix at 1:11 PM on May 14 [7 favorites]


No antisemitism intended. Instead I meant to say that Israeli defense and security firms are prevalent and well funded and have a strong presence in the security market.

It's probably not obvious and I ought to have clarified that security and hacking are two sides of the same coin. There's a great deal of overlap and cross-fertilization between both communities in the world. Many of us both defend and intrude in the same software and systems contexts. Indeed, knowing how to do one (e.g. attack/intrude) can make us far more effective at pursuing the other (e.g. defend/strengthen).
posted by kalessin at 1:26 PM on May 14 [8 favorites]


I am a security professional and for what ever the reason I don't know, a whole lot of security stuff seems to come out of Israel and there seems to be some kind of coded exceptional status granted to that. Like, when I'm being told about a new vendor by a VAR, the sales rep will say something like "they are based in Israel" in a low and authoritative voice and I am supposed to take that as some kind of "ooooooooh" enthralling fact.

What I do know is the basis of that security tech and capability seems to be coming out of the Israeli military, and for whatever it's worth Israeli security firms and operations seem to be more at the "we're working at the nation-state game to do some master level shit you mere IT security mortals can't even fathom" and so therefore I guess we're supposed to take the fact that this was an Israeli group as more signal that Israel is doing security shit on a level that the rest of us are supposed to be enthralled by.

So I guess I wonder, how does model minority status work in this case? There's some kind of privilege/power dynamic at work and I don't doubt for a second that somewhere in that there's some kind of anti-semitic backlash that's either happening or gonna happen within the privacy/EFF/anti-surveilliance/hacktivism/anti-military scenes.
posted by nikaspark at 1:34 PM on May 14 [14 favorites]


Instead I meant to say that Israeli defense and security firms are prevalent and well funded and have a strong presence in the security market.

I'm aware of the overlap between the white- and black-hat communities and I still don't get the significance. Is it "the fact that this particular firm was Israeli is unimportant"? Or something else?
posted by asterix at 1:50 PM on May 14


Is it "the fact that this particular firm was Israeli is unimportant"? Or something else?

It’s a weird fact in the infosec community that a hell of a lot of advanced security tech is coming out of Israel and I’m totally down for examining the possible biases that drive how we observe and talk about that fact.
posted by nikaspark at 2:04 PM on May 14 [6 favorites]


It’s a weird fact in the infosec community that a hell of a lot of advanced security tech is coming out of Israel and I’m totally down for examining the possible biases that drive how we observe and talk about that fact.

Nikaspark, is it your assessment that the stuff coming out of Israel is genuinely advanced, or has "Israeli security!!!1!" just become a marketing tool? The reason I ask is that there have been other security and security-adjacent firms in the news (e.g., Black Cube) that seem to have talked a good game without really offering anything novel. And although "Israeli security guards" have been a thing for decades, I'm pretty sure that they're chiefly distinguished by designer stubble and a carefully-developed look of blank disdain; they're not necessarily more sophisticated than other ones.

There's possibly an interesting parallel here with the historical employment of Gurkhas as mercenary soldiers, and previously by Swiss mercenaries, English ones, etc. On the other hand, there really can be pockets of expertise, which is why I'm asking.
posted by Joe in Australia at 2:45 PM on May 14 [2 favorites]


I think it's uncontroversial that the Israeli defense and intelligence establishment has invested heavily in its own infosec capabilities, both offensive and defensive. There's also a thriving general tech sector in Israel, so it's not that surprising to me that we're seeing a lot of infosec work coming out of there, just from a comparative advantage perspective. Add to that that there's a tendency for what seems from the outside like conspiracy thinking (e.g. the persistent rumors that Kaspersky Labs is a Russian government cat's paw, which to the best of my knowledge have never been substantiated ) and I think that's how we end up talking about things this way.

Totally agreed that it's worth interrogating the conscious and unconscious biases around this conversation. That's why I came in in the first place.
posted by asterix at 2:47 PM on May 14 [1 favorite]


Nikaspark, is it your assessment that the stuff coming out of Israel is genuinely advanced, or has "Israeli security!!!1!" just become a marketing tool?

That's a damn good question and I think you'll probably find a mix of both.
posted by nikaspark at 3:18 PM on May 14 [8 favorites]


I think the Israel thing is potentially a derail, but it is not particularly controversial that the Israeli government has actively supported the cybersecurity industry there, and government/industry cooperation is more close than e.g. the US.

From The Times of Israel, 6 Nov 2018:
Part of the reason why Israel is leagues ahead of other countries in terms of cybersecurity is because the government has taken an active role in pushing the industry along. There is constant collaboration between the government, universities and businesses. The government usually takes an advisory role, guiding things along. [...] The military is also playing a major role in pushing the industry forward. The 8200 Unit, which is an elite part of the Israeli Defense Force, is actually serving as a training ground for some of the top cybersecurity companies in the world. [...] The military recruits individuals with strong language and computer skills when they enter the armed forces at the age of 18. They spend three years working on cybersecurity before heading back into civilian life. [...] Going beyond the military, Israel is the only country in the world that offers cybersecurity as an elective in high school and is the first country to offer a PhD in cybersecurity. The country has six university research centers dedicated to cybersecurity. To say that Israel takes cybersecurity seriously is an understatement.
So, yeah. Israel is a huge exporter of cybersecurity tools and services, because there's been a huge public-sector investment of both financial and human capital into the field.

However: IMO, it would be a mistake to assume Israel or Israeli firms are necessarily the best; China, Russia, and Iran, among others, have poured a lot of resources into cyber as well, and it's harder to gauge what they've gotten for their investment. And Israeli firms certainly have every reason to play up the cachet, in the same way Audi or BMW have reason to play up the mystique of "German engineering".

Anyway, re WhatsApp, if it's true that they bolted on some off-the-shelf VOIP stack not designed for secure applications and called it a day, that really says nothing good about how seriously they are taking their users' security and privacy. Yet another item in the very long list of reasons to use Signal, not WhatsApp.

The ongoing (though comparatively not as bad, in the sense of not being a reason for most people not to use it) downside to Signal is that they insist on making you reveal your PSTN phone number to create an account; so while they are secure, they are very much not anonymous. This is a valid design choice -- anonymous communication networks tend to be very prone to abuse, and Signal probably doesn't want to become known as the new go-to place for swapping child porn or hiring hitmen -- but I don't think its implications are necessarily obvious to users. You need to be very careful about revealing your Signal username in public, since it could be traced to a phone number, and that phone number back to you. Even if you use a burner phone to obtain the number, it's becoming more and more difficult to acquire phone numbers without leaving traces, and in the next few years I expect it will be made legally impossible and practically very difficult (as well it should, because fucking spam calls have ruined the public phone network basically overnight, so aggressive deanonymization of phone numbers is pretty reasonable). The solution is to stop using phone numbers as unique pseudonymous IDs; it's nearly as bad, in terms of using something in a way it was definitely not designed, as using SSNs as shared secrets for user authentication.
posted by Kadin2048 at 8:05 PM on May 14 [7 favorites]


Last I checked (within a year), it was still possible to pay cash for a burner phone on a throwaway network like, in the US TracPhone. It is, for sure, getting more and more difficult to do that. More cell networks are requiring some kind of secured financial instrument (a non-anonymous, secured-by-credit-score, credit card) as part of signup, and it's getting harder to use or obtain good, anonymous or semi-anonymous currency to dump into an anonymized (pre-paid) credit account. Especially without inadvertently committing fraud as part of set-up.

Also, because as you say, many services seem to require and use a real phone number in lieu of a more appropriate unique, trackable, secureable ID, in order to keep an anonymous or pseudonymous set of accounts divorced from identifiable information about you, those services are making it harder and harder to just set up anon identities using true burner phones - these days it's more common to have to set up a "burner" phone that you keep, instead of throw away, and keep active on a cell (data) network so you can receive occasional OTPs sent to the device through the cell network or SMS service.

Agreed also about supremacy/skill/ability in security and defense. I think because of, for instance, popular culture shows like NCIS, Israeli entitities (state and private, within Israel proper) get a boost in the US in terms of their reputation. But we can't know, until after they somehow prove themselves, and probably until after the long lens of history allows us to look back, who's actually the best at these skills and talents.

It's sort of like how we didn't understand the changes that the NSA suggested for 3DES until many years later, and our general distrust was replaced by a realization of how far ahead of non-NSA cryptography researchers was that they knew these risks and improvements so far in advance of us. Sometimes we just don't know who the badasses are until they happen to us.
posted by kalessin at 9:26 PM on May 14 [1 favorite]


Little Dawn, I don't think it's reasonable to present this as "Signal has previously been compromised", as the EFF notes:
First, the good news: Dark Caracal does not mean that Signal or WhatsApp themselves are compromised in any way. It only means that attackers found new, insidious ways to create and distribute fake Android versions of them. (iOS is not affected.) If you downloaded your apps from Google’s official app store, Google Play, then you are almost certainly in the clear.
Essential to Dark Caracal was a campaign about getting people to install compromised APKs outside of the usual app store channels. (And on that front, I've got some opinions about being a Fire tablet user and how Firefox links to their APKs from a freakin' wiki). However, past performance is no indicator of future success, as their comment about WhatsApp shows.

I tend to at least think that the Signal developers hearts' are in the right place, and they're open source, both of which puts them steps ahead of WhatsApp in terms of trustworthiness.
posted by straw at 9:43 AM on May 15 [2 favorites]


Last I checked (within a year), it was still possible to pay cash for a burner phone on a throwaway network like, in the US TracPhone.

IIRC, alleged terrorists have been traced by tying the phone to its place of purchase and examining security camera footage. This may be a good thing! The idea of untraceable phones is attractive, but real-life anonymity is just as toxic as anonymity on the Net. This isn't a new thing: people harassed and bullied their neighbours in the pre-electronics era with "poison pen letters", and they secretly denounced them to the police. Doing it with a phone is faster and cheaper, but the effects are the same.
posted by Joe in Australia at 3:09 PM on May 15


It is, for sure, very difficult. I think I tend toward wanting privacy/anonymity (or at the very least, pseudonimity, that would be non-trivial for non-state-actors to tie back to real individuals) available, and I want our law enforcement and intelligence-related enforcement organizations to have to work hard to identify abusers, harassers, and terrorists.

I think that privacy/anonymity/pseudonimity is a vital part of freedom of expression and freedom of the press, and I still think that those freedoms are helpful for keeping us away from fascism, and allowing marginalized people the ability to express dissent to the biased status quo.

But I know it's difficult, because we want to protect what we have, and it feels like a big risk to make these tools also available to people who would do us harm.
posted by kalessin at 3:14 PM on May 15 [1 favorite]


« Older Joe Exotic: A Dark Journey Into the World of a Man...   |   Quiet Spoon Club Newer »


You are not currently logged in. Log in or create a new account to post comments.