BreachExchange mailing list archives
A serious hack hit WhatsApp. You should update your app right now
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 14 May 2019 08:11:16 -0500
https://www.wired.co.uk/article/whats-app-hacked WhatsApp's default end-to-end encryption is one of Facebook's biggest security assets – but even this doesn't help when the app itself is attacked. Mark Zuckerberg's company has found a sophisticated cyberattack has been used to exploit a weakness in the messaging app that's used by more than 1.5 billion people worldwide. In early May security engineers at the company found a software flaw in the audio call function of WhatsApp. The issue meant that phone calls made to both Android and iPhone versions of WhatsApp could allow malicious software, which conducts surveillance on a user's behaviour, to be installed. Bugs in the coding of software crop up all the time, but this is different. What makes this case particularly alarming is WhatsApp believes it is more than just some problematic language within its app. The security vulnerability appears to have been actively exploited and used as a method of surveillance. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” a WhatsApp person said in a statement. The Financial Times, which first broke the story, says the software comes from Israeli firm NSO Group. The company is well-known for creating phone hacking technology. It is reported a London-based lawyer behind lawsuits against NSO, Mexican journalists and activists, a Saudi dissident, and a Qatari citizen had spyware installed on their phones using the method. It is unknown who carried out the attack. A NSO spokesperson said its technology is used by intelligence and law enforcement agencies around the world and the company itself "would not, or could not, use its technology in its own right to target any person or organisation." “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society,” a WhatsApp spokesperson said. At this stage of its internal investigation the company has not revealed how many people may have been impacted. Because the attack is aimed at individual phone numbers, it is likely that it may have been used to target specific individuals and not as part of an indiscriminately attack en masse. However, installing spyware on phones is highly intrusive and even if it was successful in a small number of cases it is likely to have provided an attacker with huge amounts of information. Spyware software can record and access everything that is done on a mobile phone, before sending the data back to the attacker. Because spyware operates on a handset, it is able to see the end-to-end encrypted messages, such as those sent through WhatsApp, as it has direct access to what is happening on the device. WhatsApp says its engineers have been working solidly to fix the flaw since it was discovered. It has detailed the issue in a short security posting. It says the vulnerability in its VoIP calling software allowed code to be remotely executed on a device. The attack could be successful even if phone calls made to a phone were not answered. How to update WhatsApp to the latest version So what can you do? The most important step you can take to make sure your phone can't be compromised through this WhatsApp attack is to update the version of the app that's running on your device. READ NEXT Tuesday briefing: Triton malware penetrated critical Saudi Arabian infrastructure Tuesday briefing: Triton malware penetrated critical Saudi Arabian infrastructure ________________________________ By WIRED Facebook has released an updated version of its app for Android and iOS – it will stop the attack from being run and disable it if it has already been executed. The company says Android versions of its app before v2.19.134 were impacted and iOS versions before v2.19.51 could be exploited. The attack also worked on Windows Phone and Tizen versions of WhatsApp. On Android to update WhatsApp you need to visit the Play Store, tap menu, enter the apps and games section then select the update option next to the app. Similarly on an iPhone or iPad, visit Apple's App Store, go into the updates section and then tap next to the WhatsApp icon to get the latest version of the app. It's a simple fix that will take a few minutes to download and while you are in the app stores, make sure to update any other apps that have new versions. While it won't do anything to protect against this attack, there are some other basic WhatsApp security protocols that can be managed to help keep your account more secure. WhatsApp gives the option of allowing conversation back-ups to the cloud service of your choice – iCloud and Google Drive are options. While these may be useful for looking back at your old messages in the future, they don't have the same protection as the end-to-end encrypted versions of the messages. Chat logs stored on cloud services are still encrypted but because they're being stored by external companies, it's possible for police or law enforcement agencies to request copies of the data from the third-party hosts. It's possible they could then be decrypted. Investigators in the US Mueller inquiry used the method to access chat logs. Back-ups can be turned off in WhatsApp's settings. It's also possible to use two-factor authentication on WhatsApp. Turning the setting on will periodically require you to enter a verification code, which is set by the user, before you can access chats in WhatsApp. Although it won't stop spyware from getting at the information on your device, two-factor authentication can help to stop your WhatsApp chats being accessed if your phone is stolen or lost. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- A serious hack hit WhatsApp. You should update your app right now Destry Winant (May 14)