The implications of the WhatsApp security breach
Despite everything it said about communications being encrypted and thus safe, WhatsApp has been hacked. Any attack on popular software could potentially affect billions of users. While this vulnerability has been patched, users need to be aware that the software they use daily might not be secure.
Said Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies: "The issue affects WhatsApp for Android and iOS, the vulnerability, identified as CVE-2019-3568, can successfully be exploited to install the spyware and steal data from a targeted Android phone or iPhone by merely placing a WhatsApp call, even when the call is not answered.
"Also, the victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily. Still open – in order to escape the sandbox to the OS we assume more zero days were used."
A zero day vulnerability is one for which there is no remedy available as yet.
Nabil Hannan,Managing Principal – Financial Services, Software Integrity Group, Synopsys added: "The risk with this incident is that any WhatsApp user, based on their phone number, could technically be targeted. Using the buffer overflow issue, attackers can install malware allowing them to reach communications conducted on that user’s device."
"Any and every WhatsApp user is at risk. Technically anyone can be attacked, whether intentionally or accidentally. In this case the hackers seemed to have specific targets in mind, but other attackers could learn about the issue and then exploit other specific users or a wide range of users," he stressed.
Carl Leonard, Forcepoint’s Principle Security Analyst, noted that while a software update has been issued, the malware itself is extremely sophisticated. "Attacks like these have huge privacy implications. Traditionally, malware developed by sophisticated threat actors leaks into the wider cybercriminal ecosystem and is repurposed for financial gain, targeting the mass market. This is early days for this particular malware but it is critical to patch, and turn on auto-updates if possible, and for all applications, not just WhatsApp," he said.
Vanunu commented that popular applications will continue to be targeted. "We are seeing that vulnerabilities on mobile platform worth a lot of money, for example in the Zerodium price list they are willing to pay up to US$1 million for a WhatsApp vulnerability that will allow running remote code," he said.
The best that users can do is keep up to date with the app and to report unusual behaviour, Hannan said. Leonard agreed. "A victim’s device would act very differently than a non-infected device, and while no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information," he said.
Dylan Castagne, MD, Retarus Asia, commented that best practices are needed to ensure the secure and efficient transmission of information. He is in favour of leveraging established standards such as short message service (SMS, or text messages) instead of proprietary systems such as WhatsApp in business communication.
"Additionally, this reflects the need for organisations to significantly up their game in detecting, investigating and remediating intrusions across all communications avenues. With advanced threats seen to continue surpassing the capabilities of security mechanisms and cyber criminals devising new methods to infiltrate networks and exploit attack vectors, including messaging applications and emails, the value of being conscientious and vigilant in today’s digital era cannot be over-emphasised," he said.
"Utilising managed security service providers over traditional security tools also provides enterprises with the added advantage of having regular feature enhancements and upgrades that can better thwart modern cyber security threats."
"Rather than using a threat-based approach (where security professionals block individual threats, one by one) using a behaviour-based approach can pay dividends. By analysing the normal behaviour of a device, or in enterprise terms, any entity on a system, security professionals can act on the anomalies and stop even the most sophisticated attack quickly," Leonard said.
According to Business of Apps in a blog post updated in February 2019 at there are:
- One-and-a-half billion users in 180 countries, including 3 million users of WhatsApp Business
- One billion daily active WhatsApp users
- India is the biggest WhatsApp market in the world, with 200 million users (itestimated in some quarters that this has increased to 300 million
- Sixty-five billion WhatsApp messages sent per day, or 29 million per minute, and 55 million WhatsApp video calls made per day, lasting 340 million minutes in total
- From May-July 2018, 85 billion hours of WhatsApp usage were measured
Explore:
Read the Check Point blog post on how the WhatsApp hack happened
Said Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies: "The issue affects WhatsApp for Android and iOS, the vulnerability, identified as CVE-2019-3568, can successfully be exploited to install the spyware and steal data from a targeted Android phone or iPhone by merely placing a WhatsApp call, even when the call is not answered.
"Also, the victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily. Still open – in order to escape the sandbox to the OS we assume more zero days were used."
A zero day vulnerability is one for which there is no remedy available as yet.
Nabil Hannan,Managing Principal – Financial Services, Software Integrity Group, Synopsys added: "The risk with this incident is that any WhatsApp user, based on their phone number, could technically be targeted. Using the buffer overflow issue, attackers can install malware allowing them to reach communications conducted on that user’s device."
"Any and every WhatsApp user is at risk. Technically anyone can be attacked, whether intentionally or accidentally. In this case the hackers seemed to have specific targets in mind, but other attackers could learn about the issue and then exploit other specific users or a wide range of users," he stressed.
Carl Leonard, Forcepoint’s Principle Security Analyst, noted that while a software update has been issued, the malware itself is extremely sophisticated. "Attacks like these have huge privacy implications. Traditionally, malware developed by sophisticated threat actors leaks into the wider cybercriminal ecosystem and is repurposed for financial gain, targeting the mass market. This is early days for this particular malware but it is critical to patch, and turn on auto-updates if possible, and for all applications, not just WhatsApp," he said.
Vanunu commented that popular applications will continue to be targeted. "We are seeing that vulnerabilities on mobile platform worth a lot of money, for example in the Zerodium price list they are willing to pay up to US$1 million for a WhatsApp vulnerability that will allow running remote code," he said.
The best that users can do is keep up to date with the app and to report unusual behaviour, Hannan said. Leonard agreed. "A victim’s device would act very differently than a non-infected device, and while no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information," he said.
Dylan Castagne, MD, Retarus Asia, commented that best practices are needed to ensure the secure and efficient transmission of information. He is in favour of leveraging established standards such as short message service (SMS, or text messages) instead of proprietary systems such as WhatsApp in business communication.
"Additionally, this reflects the need for organisations to significantly up their game in detecting, investigating and remediating intrusions across all communications avenues. With advanced threats seen to continue surpassing the capabilities of security mechanisms and cyber criminals devising new methods to infiltrate networks and exploit attack vectors, including messaging applications and emails, the value of being conscientious and vigilant in today’s digital era cannot be over-emphasised," he said.
"Utilising managed security service providers over traditional security tools also provides enterprises with the added advantage of having regular feature enhancements and upgrades that can better thwart modern cyber security threats."
"Rather than using a threat-based approach (where security professionals block individual threats, one by one) using a behaviour-based approach can pay dividends. By analysing the normal behaviour of a device, or in enterprise terms, any entity on a system, security professionals can act on the anomalies and stop even the most sophisticated attack quickly," Leonard said.
According to Business of Apps in a blog post updated in February 2019 at there are:
- One-and-a-half billion users in 180 countries, including 3 million users of WhatsApp Business
- One billion daily active WhatsApp users
- India is the biggest WhatsApp market in the world, with 200 million users (itestimated in some quarters that this has increased to 300 million
- Sixty-five billion WhatsApp messages sent per day, or 29 million per minute, and 55 million WhatsApp video calls made per day, lasting 340 million minutes in total
- From May-July 2018, 85 billion hours of WhatsApp usage were measured
Explore:
Read the Check Point blog post on how the WhatsApp hack happened
Comments
Post a Comment