Google's Project Zero team investigated WhatsApp's and Facetime's video conferencing last year:
"Overall, WhatsApp signalling seemed like a promising attack surface, but we did not find any vulnerabilities in it. There were two areas where we were able to extend the attack surface beyond what is used in the basic call flow. First, it was possible to send signalling messages that should only be sent after a call is answered before the call is answered, and they were processed by the receiving device. Second, it was possible for a peer to send voip_options JSON to another device. WhatsApp could reduce the attack surface of signalling by removing these capabilities."
"Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three CVEs in FaceTime based on this work."
In both cases, the close source nature of the applications stymied their efforts. Looks like NSO was willing to spend more time and resources!
Why do you say that? In the WhatsApp case, they were able to repeatedly modify the code and also yank it out and run it in their own controlled environment, etc.
That's probably what they're referring to.
And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.
Absolutely. The Israeli Cybersecurity brand is built partially on such (sometimes unsubstantial) PR.
The bubble is doing well though! almost 500 startups, > 1Billion$ VC funding in 2018 alone. Devs are happy.
But maybe I'm wrong and we'll see 100 Mobileyes in the coming decade.
unsubstantiated (adj)- not supported or proven by evidence.
unsubstantial (adj)- lacking material substance
I see what you did there.
Frankly, these products are likely unmaintainable long term without a total refactoring of the codebase, nevermind the abject lack of security.
The trick with these vendors is the codebase will never see serious improvement, as these basestations aren't going to be sold for the next decade, so Huawei will do the bare minimum and shelve support in short order.
Network security is piss poor, most of these vendors add vulnerabilties atop secure distros (OpenWRT, Debian, etc) and flog it as the best thing since sliced bread.
You can say that people who sell vulnerabilities to unaffiliated-seeming, neutral-seeming, innocuous-seeming brokers ought to know better where their work is going to end up, and I suppose that's true, but it's still not the same dynamic as exists with Blackwater.
But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.
If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.
I'm not saying that makes it OK (I think the opposite thing, in fact, though I feel like I always need to add the disclaimer that the kinds of bugs that have commercial/operational relevance aren't the kind I develop). I'm saying that the dynamics are different than they are with Blackwater.
The vast majority of employees at these firms work for Aramark, or its equivalent.
I don't know enough about Hacking Group to know how closely they work with the people they sell to.
So, nope. Introducing security bugs and backdoors just makes it insecure for everyone.
There is also a black-market that can be even more lucrative. A bug could be jackpot for criminals.
See also https://en.m.wikipedia.org/wiki/Market_for_zero-day_exploits
So yes, I'm pretty sure that there are various teams, including white-hats such as Google, black-hats, nation-states such as China / Russia, analyzing each and every update.
There was also an interesting article on hackernews a while back demonstrating the technique, there are some nice tools for this. Sorry, can't find the link now.
But here's the fun part. Here are the corporate denials:
- Google: "We have not joined any program that would give the U.S. government direct access to our servers."
- Apple: "We do not provide any government agency with direct access to our servers."
- Facebook: "We do not provide any government organization with direct access to Facebook servers."
And so on. An exploit with plausible deniability enables these companies to make these comments completely truthfully, and at least mostly truthfully if they claim they are not providing a backdoor. But more to the point, there is absolutely no reason these companies would all say "direct access" as that's very specifically a subset of "access." If you do not facilitate direct or indirect access, why would you not simply say access? If this were a one-off thing, that'd be one thing since on occasion some PR is... odd. But literally all the companies were saying the exact same very peculiar thing. That's not a coincidence.
 - https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%...
On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does so on iOS as well. Once granted, the app has access to any data available through access-allowed APIs.
App code goes through an audit process to ensure that the app isn’t using accessible APIs inappropriately, and doesn’t permit unapproved code execution.
This vulnerability allows an attacker to execute unapproved code in the WhatsApp context. Any API that iOS or Android offer WhatsApp under normal circumstances is now attacker-controlled.
The two questions unanswered by the press to date are simple. On iOS and on Android, can the attacker’s code be terminated by force-quitting and uninstalling WhatsApp?
Either the attack is persistent only because it sets up shop inside the app, which may have OS-granted background and/or screen-off execution rights, and thus can be terminated simply by quitting and removing the app — or, the attack gains persistence beyond the confines of the app.
Media reports are unclear on this point. If the OS offers apps endpoints that an app executing attacker-controlled code can use to infect the OS with persistent attack code that executes outside the app’s boundaries and remains after app uninstallation, then that’s absolutely a flaw in the design of the OS. As you say, “Android and iOS vulnerabilities”.
Is this the case?
AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc
Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?
How could the API's whatsapp does have access to be abused?
The app is infected, calls a 0-day using an illegal parameter that’s normally rejected by app store filters, and gains a permanent beachhead in your Android system services list.
> access photos in the background
Unclear. Apps can show thumbnail galleries of your photos within their native UI, so it may well be possible for them to continue directly to reading photos.
> access the camera in the background
Unclear. Does FaceTime continue transmitting video when the phone screen is turned off? Is it possible to capture stills or video when the screen is off on a jailbroken phone?
> or spy on the user in a broader way
Android WhatsApp seeks permission to read your SMSes, so that would be almost certainly correct as well there.
There's no possible way to read SMS messages programatically in iOS for example, the closest you get is reading one time passwords sent, and you can only do that when the user has the keyboard open when the SMS is received.
I know Android is slightly more lax in this (and some other) regards. I wonder if Android whatsapp users targeted by this exploit have had more data exposed than iOS users targeted by the same exploit?
If I were a nation state attacker, I would be thrilled to find that my target was Android.
Google photos on iOS is able to upload my photos in the background so its possible
Background audio access on iOS presents a bright red indicator on all non-app screens that can neither be hidden nor removed, as it’s baked into the OS. iOS may require a separate permission dialog for “capture video with sound” and “record sound with/out screen on”, I don’t know. I doubt Android bothers to do any of this.
Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?
However, two API levels of compat. seems like a good trade to me in order to avoid an RCE.
Less than 0.3% of Android users globally use an incompatible API level. If we assume this applies equally to the WhatsApp userbase (and old-Android users are represented with the same proportion in the active monthly users figure) and use 0.3%, we have 2.8 million potentially impacted users. At the current rate of about 1M new users per day, it'd take two or three days for this small slice of the userbase to be replaced.
It would've been losing 0.0219% of their userbase to avoid an RCE that impacted 100%. Now, how much revenue did those users bring in? And how much has this announcement damaged facebook's share price?
Besides, I think if it was from any other developer, probably it would be removed from the AppStore and force delete from user devices.
Before someone says something about government surveillance of fiber cables. Yes, that is also bad, but exploiting vulnerabilities to install spyware on peoples phones... It crosses yet another line that shouldn't ever be crossed.
Gamma Group is an Anglo-German company that provides similar surveillance software with government blessing and endorsement. Hacking Team (Italian company) sells similar surveillance software to various European governments. Before an embarrassing data breach in 2015 they also used to sell surveillance software to various totalitarian regimes outside Europe.
Why do you think they stopped selling to those regimes? (I didn't follow the issue after it disappeared from the news)
You've led a very sheltered life if you think the Russians and the Chinese have been more evil than the Americans or the Israelis. I suggest reading history - a lot of it. When it comes to governments there are no good guys, only bad guys.
The Russians and Chinese are doing many things worse than what the US does: Ukraine, the Uighurs.... Both are far less bound by the rule of law. Neither have any serious form of democracy.
False equivalence is a specious but dangerous form of reasoning.
Can you provide a decent source for your millions of casualties claim or for you claim about the US toppling more Governments than Russia/China? I bet you can’t.
Judging by your username I believe you know some things about history. Why spread false info?
It's not that hard to believe surely? There have been plenty of other reports showing similar numbers.
Russia/Soviet Union is roughly on par with the US on the invasion/occupation/regime change count -- of course they did it mostly in eastern Europe, the Caucasus and the MENA region rather than in Latin America.
Anything that goes unencrypted over the internet is (a) public and (b) liable to be changed by anyone on transit. It's like a travelling wikipedia article.
The MySpace era was a simpler time...
In foreign policy it’s more balanced (supporting Syria vs Saudi Arabia) but even there, Russia is clearly trying to subvert foreign democracies. China is (perhaps reasonably) pushing for more power in Asia. And while the US support for human rights is patchy, China’s is non-existent.
Then there’s the Palestinians... (sigh)
A close friend of mine was held in custody in the US based on false accusations by a police officer.
The police officer later admitted the false accusations to the judge, that he just wanted to "scare him a bit". The judge nodded, proceeded to aquit him of all offenses exept the speeding ticket which he deserved, and off he went.
For example, in my own country, Romania, US religious groups stoked local religious groups to initiate a referendum to change of our constitution to ban gay marriage (they actually made it through all the steps and the referendum was held, but so few people showed up to vote that it fell through). Would this count? It was done through false news and propaganda (and probably some minor corruption, but that's just par for the course), but otherwise through legal means - same as all modern Russian influence in Europe that I've heard of.
Let's not forget that the US has explicitly assassinated its own citizens for 'suspicion of terrorism' as well, though they're at least not assassinating their own citizens on their own territory, and not in the kind of huge numbers that Russia and China are.
MKULTRA, guantanamo, Stuxnet, PRISM and other 3 letters agency abuses , &c. and that's only the stuff we know about.
> Then there’s the Palestinians... (sigh)
Grand total, you are talking about a couple thousand people over half a century.
China does worse in a month in Xinjiang. The excesses of western nations stand out like a sore asshole so badly because they are such exceptions to the general rule of law they experience.
Yep, manufacturing of consent at play.
But this aside, I have a friend who worked in Israeli company whose main business was to sell phone exploits and customer data by using the still very insecure SS7. Basically they were registered as voip operator, but according to my friend that was only a cover, and the real business was selling surveillance data they were gathering via SS7.
source - Art of War, probably...
They're build by any government/entity having sufficient resources to build them, there is no good or bad guys in that story.
By them, I’m not surprised. And I’m not being anti Semitic. I’m just calling fact.
Also, as an Israeli, I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary. The fact that others think that such a thing as "boundaries" exist only serves as an advantage.
Basically, you’re either dealing with Mossad or not-Mossad.
If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru.
If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.
Threat: The Mossad doing Mossad things with your email account
Solution: Magical amulets? Fake your own death, move into a submarine? YOU’RE STILL GONNA BE MOSSAD’ED UPON
(That's perhaps a little too light-hearted humor, considering the youtube link in the post I'm responding to...)
If I do a quick samples of people I know, there’s a super high correlation in being a hacker/developer and not using Facebook. Maybe they should try HN instead.
Have fun in the submarine!
That's basically Israel's attitude on anything: doing anything they want without any kind of boundaries, then denying brazenly they did it, while doing it again and again. Like having snipers shooting at thousands of civilians, kids, journalists, paramedics, who are protesting inside their own borders.
That’s actually a time-honoured Russian/Soviet SOP, currently embodied by Mr. Sergey Lavrov.
The USSR had a lot of influence on early Israel, and it shows in many little things like this.
The term used to have a very negative connotation, but interestingly, Google says "usually used approvingly". It seems to fit pretty well the descriptions of the "rudeness" and "boldness" in common Israeli culture.
Also seems to be a pretty accurate description of SV/startup culture too...
Ugh... this is so myopic and sounds like you're intentionally not telling the truth.
all those "kids", "journalists", and "paramedics" were shown to be carrying bombs or other explosives.
I'm not arguing that terrorists/soldiers/murders were killed, you are the one claiming that a reflective vest puts someone above the law.
On top of the 1000s of staged or edited photos/videos coming out of pallywood on a daily basis it's nearly impossible to take anyone making such claims seriously. as they are almost always full of misinformation/lies.
Sorry, maybe I wasn't clear. I didn't mean that all the people shot by snipers (not killed- just shot, usually in the legs and often causing permanent disabilities) were kids or paramedics or journalists. I was questioning your statement that "all ... were shown to be carrying bombs or other explosives". It's quite a categorical statement, and almost certainly wrong.
Also your unbridled hate for all things jewish kinda outs you as a biased party.
Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, “SCREW IT WE’RE GOING TO THE MOON.” I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim’s hair. If that’s how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological mandibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.
This I like.
Maybe as an Israeli you can see the hypocrisy in stating that there are no boundaries when, if it wasn't for a large part of the world deciding that in fact there ARE boundaries that should not be crossed, the Nuremberg trials would never have been held and Israel would not exist at all.
But you go ahead and ignore your own history.
"I'm crazier than you are." has always been the US position re strategic nuclear weaponry.
Israelis in general are very blunt and perfectly willing to question superiors and voice opinions and questions in situations where Americans never would. This includes the military where subordinates would question a superior in a way that would never fly in an American military (and probably others).
Israelis on the street will voice opinions to strangers in a way that would be perceived as incredibly rude elsewhere, but is normal in Israel.
Well, they claim they are but you don't see anything at least from outside.
From outside it seems they are easily buying whatever government is selling to them. Working on surveillance projects is rather embraced and you even receive strong social support for it.
So I don't get how do you compare it to the US! Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong.
Not to mention many anti-surveillance activists are based in the US. I believe that is a very unfair comparison.
The truth is every country you look people are a bag of goods and bads and they manage to find greedy people to work on surveillance projects even in the EU.
> Working on surveillance projects is rather embraced and you even receive strong social support for it.
That's right, because there's nothing wrong with it.
> So I don't get how do you compare it to the US!
Because I'm not comparing surveillance projects, I'm comparing modes of speaking.
> Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong.
Because it's quite obvious to the ordinary Israeli that surveillance projects save lives, so obviously they would want to work on it.
The US isn't under quite the same level of attack, although it's far from clear there is supposed to be something wrong with it in the US either.
What do you mean, for example?
You're fighting with your teen, in the US everyone would turn away and pretend not to hear, in Israel they'll just openly talk to you about their own teen and what they did, etc. and then half the bus would chime in. They're all really nice about it mind you, just trying to help.
Israelis think of everyone as part of their personal family, even strangers are really distant relatives, is I guess a good way to put it.
I don't necessarily agree, but that's just how it is.
Why isn't anyone mad at Apple who (falsely) advertises iOS as being "Secure By Design?"
Huh? This is Israel.
And some of us are mad at Google and Apple for selling such insecure-by-design junk. By that I mean that apps are trusted more than (and can't fully be controlled by) device owners.
Knowing nothing about the company in question, I'm still certain that most of its founders, investors and employees come from 8200. So, government doesn't need to be formally involved in any way, it's just the same social circles, everybody just knows everyone.
Otherwise, it is your choice, whether you need a distinction like that. I don't see how it might be useful.
Edit: see https://en.wikipedia.org/wiki/United_Nations_Security_Counci...
The entire UN Security Council officially recognized this, with even the US not using their veto power (they abstained).
Is this a subtle reference to the Israeli occupation of Palestine?
Isn't this how villains in Marvel movies work?
> Stuxnet targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a jointly built American/Israeli cyberweapon.
Whatever lines there were, they have long been crossed.
Instead, flag the comment. Other users did that, which killed the comment and alerted us so we could ban the account. In egregious cases, you can also let us know about it at firstname.lastname@example.org.
how about telling us how to check if this exploit was used, how to remove the spyware, etc?
Would be nice to have a tool that everyone on the planet could use to run against those backups and find a common source of the infections, along with an idea of when it was found in the wild.
FWIW, I'm an Android user.
If there's a vulnerability in Whatsapp, the injected code should only affect Whatsapp.
Otherwise, it's (also) a vulnerability in iOS.
However, it's impossible to really know for sure as the server component for calls is a proprietary black box.
I will be surprised, if this vuln allows the attacker control outside of the WhatsApp app sandbox to other parts of iOS.
(I will be less surprised if the above is possible in Android)
I thought that changed after migrating to WebRTC? Although I haven't tried to spin up my own Signal server, modify the APK and see what works and doesn't work.
"Affected versions: ... WhatsApp for iOS prior to v2.19.51"
The news outlets are all telling us to update, but until WhatsApp/Apple get their act together, there's no point. Worse still, people won't realise they need to do it again and will remain vulnerable indefinitely.
> You can now see stickers in full screen when you long press a notification
If that’s how we encourage critical security updates, I’ll suspect that Facebook themselves are behind all of this.
I assume the stickers thing truly was the most notable patch, and they didn’t want to scare people & tip off the attackers.
At least say something like “bug fixes”. Some kind of carrot to discourage me from thinking “Total waste of time and too many developers”.
"The issue affects WhatsApp for Android prior to v2.19.134"
Isn’t Sandboxing supposed to prevent this from getting any worse than hacking the app itself?
Some of the largest data breaches in the last few years related to facebook
They continue do whatever they want
GDPR made no difference at all... Only hurt the small-medium business
FB, Google, Aamazon just keep doing whatever they want, protected by army of lawyers
I wouldn't call that kind of title edit (taking out a country name) a policy. We have an ad hoc bag of tricks and sometimes we use one and sometimes another, depending on what feels needed. Do I know how unsatisfying that sounds? You bet. Do I get how it opens us to accusations of bias? I do, better than anyone else does. But the threads are too complicated to be managed with precise formalizations.
Messaging app discovers vulnerability that has been open for weeks
NSO's Pegasus software can allegedly penetrate any iPhone via one simple missed call on WhatsApp
Mehul Srivastava in Tel Aviv MAY 13, 2019 Print this page
A vulnerability in the messaging app WhatsApp has allowed attackersto inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.
WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.
The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.
WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, a person familiar with the issue said.
As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method.
Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to technology developed by NSO, which was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.
NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.
NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime.
In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday. The US Department of Justice has also begun looking into the situation.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
NSO declined to comment on whether it had hacked WhatsApp’s messaging service, and marketed the technology to clients, or on the US DoJ inquiry.
The UK lawyer, who declined to be identified, has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada, sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.
John Scott-Railton, a seniorresearcher at the University of Toronto’s Citizen lab, said the attack had failed.
“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”
Other lawyers working on the cases have been approached by people pretending to be potential clients or donors, who then try and obtain information about the ongoing lawsuits, the Associated Press reported in February.
“It's upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us, itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”
On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.
Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the ministry of defence to cancel NSO’s export licence.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.
“The Israeli ministry of defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”
Copyright The Financial Times Limited 2019. All rights reserved.