WhatsApp compromised by surveillance software
Earlier this month, Israeli security firm known as NSO Group, successfully exploited a vulnerability in the Facebook-owned WhatsApp application. The attack was executed by targeting the voice call functionality. The user didn’t even need to answer the call for the surveillance software to be installed. According to WhatsApp, their security team made the initial discovery of the fault and proceeded to disclose that information with human rights organizations as well as the US Department of Justice. WhatsApp said in a briefing document for reporters, “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
They also published an advisory to security specialists stating, “A buffer overflow vulnerability in WhatsApp voice over internet protocol (VOIP) stack allowed remote code execution via specially crafted series of secure real-time transport protocol (SRTCP) packets sent to a target phone number.”
A professor from the University of Surrey, Alan Woodward said, “In a buffer overflow, an app is allocated more memory than it actually needs, so it has space left in the memory. If you are able to pass some code through the app, you can run your own code in that area.”
What is being done to solve the problem?
Currently WhatsApp still doesn’t know how many devices were reached through the flaw. WhatsApp suggested updating the app to ensure your security protocols are up to scratch, but they have yet to confirm if the latest update would eliminate the spyware that’s already present on the device. Professor Woodward went on to say, “Using an app as an attack route is limited on iOS as they run apps in very tightly controlled sandboxes.”
Pegasus, another NSO software, can access a device’s camera, microphone, and even location data. The group made a statement saying, “NSO’s technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions.”