Last month’s hack of the WhatsApp messaging service served as a stark reminder to both businesses and consumers the risks posed by such applications and how there is very little that can be done to protect themselves and their data about any future attacks. In this blog post, Daniel Follenfant, Senior Manager, Penetration Testing, Consulting Services at NTT Security, takes a closer look at the attack and provides some basic steps to reduce the risk of your security or privacy being breached.
In the case of the WhatsApp hack, the attacker took advantage of a design flaw in the software which allowed the phone to be ‘taken over’ simply by calling it. It’s known as a buffer overflow attack, and is by no means new or common, but in its simplest form, involves writing code to an area of the application in memory that will then be executed. Unfortunately flaws such as this are something that users of an app or service have no control.
It’s been reported that this highly co-ordinated attack was carried out using software developed by NSO Group Technologies, which previously has breached phone security with its famous Spyware Pegasus software. What was clever about the WhatsApp case was that the attacker could access users’ phones to spy on them without the call even needing to be answered. This was achieved by sending the packets of data to the phone during the process of the call, the target user would have only seen a call in progress or a missed call.
Out of the user’s hands
The vulnerability that enabled the hacker to carry out this particular attack was an issue within the application itself, nothing to do with WhatsApp’s encryption or security controls but inherent in the way it had been written. In fact, the encryption method used for messaging has not been brought into question and its implementation has been proven secure.
Based on this, the actions that users of apps and services can take to prevent similar breaches happening in the future are limited but they are not completely powerless.
One such approach that organizations can take is to encrypt all data locally which ensures that any information being transmitted is ‘locked down’. From a consumer point of view not using the same password for different apps is a simple precaution to reduce their risk.
So, for example, if you’re an avid mountain biker and you use the same password to log onto your favorite forum as you do to shop with Amazon then an attacker might steal your credentials by targeting the less secure forum. At the point you’re notified that the forum has been breached, you might simply disregard it thinking that ‘it’s only the mountain biking forum’; but, quite simply the attacker could then use your log-in details on Amazon and gain access to your account. Essentially every account online that you access should have its own unique password. Freely available password management software, such as KeePass, makes this a far simpler task by requiring you to remember only one master password.
Duty of care
Businesses and consumers are required to put their faith in the vendors that create the apps they use but in turn there is a duty of care these vendors must undertake to protect us by watching for, identifying and fixing vulnerabilities that could leave us or our data exposed. In this case, kudos to WhatsApp which quickly addressed the issue by releasing a patch for applications already running with the new versions not appearing susceptible.
Mobile application stores also provide a layer of a small layer of protection by assessing the apps they host for common flaws that could be a security vulnerability to the user and their device.
With such a high turnover of mobile applications, competition is fierce and vendors can’t afford not to monitor and address the kinds of flaws that left the door open for the attacker which targeted WhatsApp. Failure to take responsibility will inevitably lead to consumers seeking an alternative provider that does.