WhatsApp has asked users to upgrade the app to the latest version, and ensure that their mobile operating system is up to date, to protect themselves against a recently discovered (and fixed) vulnerability which used the WhatsApp calling feature to compromise user devices. Earlier this month, the company discovered a vulnerability that could enable the attacker to “insert and execute code on mobile devices”.

Here’s what we know about the exploit and the spyware

Q. How did the exploit spread?

A WhatsApp spokesperson told us that it seems (and it’s too early for them to confirm) that this exploit involves a voice call to a user, likely from a number that was not familiar to them. Financial Times reports that the code could be transmitted even if the call wasn’t answered, and that incoming call logs were often erased. This means that the software could often be installed undetected.

Q. How did the spyware work? Who created it? How was it discovered?

The spyware can be used to install surveillance software on to both iPhones and Android phones.

Financial Times cites Citizen Lab, the Canada based cybersecurity research organisation as saying that the spyware is “linked to technology” developed by Israeli cyber intelligence company NSO Group.

The vulnerability was discovered when it was used in an attempted attack on a lawyer involved in a lawsuit against NSO. Citizen Lab observed the attack on the lawyers phone, and had suspected that the person would be targeted. Citizen Lab has been investigating the NSO Group and the usage of its Pegasus software by governments to target dissidents and journalists

Some of Citizen Lab’s reporting on the NSO Group:

Apart from this Citizen Lab has also been writing to NSO’s buyers about their activities.

Without naming NSO, WhatsApp says that “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

NSO told FT that its software is only operated by intelligence and law enforcement agencies, and it hasn’t used its own technology against any person.

Q. How many people have been affected?

A WhatsApp spokesperson told MediaNama that it’s difficult for them to provide a specific number for how many people have been affected by the exploit, saying “This is the kind of advanced exploit that would be highly selective in nature and would be available to only advanced and highly motivated actors”, and “We believe a select number of users were targeted through this vulnerability by an advanced cyber actor.”

Q. When did Whatsapp find out?

WhatsApp said that the vulnerability was discovered earlier this month, and “promptly fixed”.

Q. What has WhatsApp done?

  • Late last week WhatsApp “made changes to our infrastructure to deny the ability for this attack to take place.”
  • They’ve not issued an advisory for people to update their apps and ensure that their mobile operating system is kept updated.
  • They have briefed a number of human rights organizations to share information, and “to work with them to notify civil society”.
  • WhatsApp filed a CVE notice (common vulnerabilities and exposures notice) indicating this exploit takes advantage of WhatsApp voice calling, and is providing information to US law enforcement to help them investigate this exploit:

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
Last Updated: 2019-05-13

What we don’t know

We’ll update if/when we find out:

  • Was anyone in India affected?
  • How can it be detected who was affected? How can it be detected that a device is affected?
  • How can infected users clean their devices?
  • How many vulnerabilities have been detected in the last year?

What needs to be done

MediaNama’s take: Cyber Intelligence or hacking softwares are like guns: they lead to the militarisation of cyberspace, and lend themselves to governments and non-state actors using this software to target civilians, vulnerable entities, corporations and other governments.

Citizen Lab’s Director Ron Deibert, in his letter about the purchase of the NSO group by Novalpina Capita, raises questions about safeguards in place to ensure responsible usage of NSO Group products, and their sale to customers to entities who have a record of documented human rights abuses, including “How do Novalpina Capital and NSO Group ensure that NSO Group technology is not used by purchasers against illegal targets or obtained by third parties that might engage in such illegal uses?”

Last year, French President Macron led the Paris Call for trust and security in cyberspace, which was supported by 547 entities (disclosure: MediaNama is an early supporter), for applicability of international human rights law in cyberspace, and the prevention of “proliferation of malicious ICT tools and practices intended to cause harm”, among other confidence building measures. There is a need to push for reduction in the militarisation of cyberspace, with demilitarisation as long term goal.