You are here

WhatsApp: One Call away from being a spyware

Ms Kritika Roy is a Threat Intelligence Researcher at DCSO Deutsche CyberSicherheitsorganisation, Berlin, Germany.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • June 03, 2019

    Cyber Security breaches have become the new normal with invasive bugs on the rise. Recent incidents include the Face Time bug, which enables callers to listen into the recipients’ audio, and the Intel processor security flaw that allowed malicious actors to transfer sensitive data from a computer’s CPU to that of the attackers. The latest breach is the WhatsApp bug, which enables perpetrators to install a spyware by simply making a call to the targeted device. Social media platforms have end-to-end encryption, which means that the data cannot be intercepted during transit. However, attacks like these may undermine user confidence in the security provided by private entities. This breach also underlines the dark side of the Information Age – that there is nothing called fool-proof security and that every individual, system and organization is equally vulnerable.

    Debugging the Bug

    In early May, WhatsApp detected a bug that could inject malware on any targeted smart phone through a single call. This means that a simple call – even if not answered – may leave the phone and all its data including call logs, emails, messages, and photos vulnerable to malware, as opposed to other hacks that require some sort of user interaction like clicking on an infected link. In fact, this WhatsApp vulnerability could even bypass the face ID lock of iPhones, a feature introduced by WhatsApp to double user protection.

    This Zero Day exploit, also known as Pegasus spyware, was allegedly developed by an Israeli cyber intelligence company called NSO. The hack code developed by the company could easily transmit itself to the target’s phone with a WhatsApp call and at the same time delete the call record itself from the call log. Thus, there is no way to find out if the phone has been breached. Following the bug’s detection, WhatsApp started rolling out an update on 10 May so as to provide a security patch for its customers.

    Further analysis of the attack showed that WhatsApp VoIP (Voice over internet protocol)1 had a vulnerability called "buffer overflow weakness," which perpetrators could leverage to run malicious code on the host device. As the call starts, perpetrators manipulate the specially crafted series of data packets called SRTP (secure real time transport protocol), leading to the overflow being triggered and the attacker gaining access to the application. Attackers can then deploy surveillance tools to the device for use against the target. Karsten Nohl, chief scientist at the German Security Research Lab, states, “Remote exploitable bugs can exist in any application that receives data from untrusted source.” The majority of VoIP traffic that is sent over the internet is not encrypted, so anyone with access to the network can intercept calls or messages. This is one of the many serious threats in the VoIP environment. VoIP, in WhatsApp, is used to connect users and the evasion of the platform’s end-to-end encryption is being attributed to vulnerable VoIP.

    The Target

    The Israeli firm NSO’s stated objective has been to “create technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.” However, it doesn’t require much to imagine how the technology can be used for other purposes as well. It has been reported that NSO had actually developed the WhatsApp bug code to access the phone data of a United Kingdom based human rights lawyer who had helped a group of Mexican journalists, government critics and a Saudi Arabian national living in Canada to sue the company for allegedly misusing the technology. They also called for an export ban on the technology to prevent it from being used for breaches of individual privacy.

    What could this mean?

    While at first glance it appears that the WhatsApp malware was developed by a private firm to target an individual and at best a select group of individuals involved in litigation with it, NSO’s links with the Israeli government does have spill over effects on regional politics. The company was founded by a retired senior Israeli military officer, General Avigdor ben-Gal, and continues to maintain close ties with the Israeli government and its security forces. It has been alleged that companies like NSO have been used by Israel to further diplomatic relations with hostile neighbours in the Middle East and the Persian Gulf. Arab states see Israeli technologies as powerful tools that could be used against terrorists as well as political dissidents. While NSO has not denied that it provides services to Saudi Arabia, it denies that the technology it had shared with Saudi Arabia was in any way used in the surveillance and subsequent killing of the journalist Jamal Khashoggi. Nevertheless, Saudi agencies armed with NSO technology have allegedly gone after many of Khashoggi’s associates including Iyed el-Baghdadi, an Arab writer and activist based in Oslo, Norway. According to a report generated by Citizen Lab at the University of Toronto, NSO’s software has actually been detected in 45 countries with civil society members seen to be targeted in six.

    Incidents of social media breaches make it clear that anyone with a smart device is vulnerable One cannot ignore the fact that any government armed with such technologies can carry out the targeted monitoring of individuals without their knowledge. Attempts at breaking end-to-end encryption show that many private enterprises are hand in glove with government agencies. Moreover, such social media breaching technologies can be misused if they fall into the hands of malicious actors. For instance, private chat information and details could be used for blackmail and financial gains.

    WhatsApp is used by over 1.5 billion monthly active users, and more than 200 million users in India alone. Such a large user base also raises question about the security awareness and accountability actions being taken by India. This also brings to light the dark side of unregulated cyberspace. In the absence of any universal rules or common doctrines governing cyber space, the dilemma of individual privacy and the state’s obligation to ensure security including through surveillance would continue to remain a zero-sum game.

    Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.

    • 1. Voice over internet protocol (VoIP) is the transmission of voice and multi-media content over Internet Protocol (IP) networks.