WhatsApp Zero-Day let NSO Spyware Pwn Phones

A buffer-overflow vulnerability in WhatsApp is being exploited to remotely take over victims’ devices. All it took was a missed call to infect the app on iOS and Android.

The payload seems to have been the NSO Group’s Pegasus commercial spyware. This Israeli nasty is known for use against journalists, activists, lawyers, etc.—basically anyone certain governments want to spy on.

The patch is now available. In today’s SB Blogwatch, we scramble to update.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Scallion Shimmer System SG.


Oh No, NSO

What’s the craic? Mehul Srivastava and Kadhim Shubber report, “WhatsApp voice calls used to inject Israeli spyware” in the Pink’un:

 A vulnerability … allowed attackers to inject commercial Israeli spyware on to phones. … WhatsApp, which is used by 1.5 [billion] people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.

WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. … As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method.

Pegasus [is] a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. … NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. … NSO said it had carefully vetted customers and investigated any abuse.

Carefully vetted? Iain Thomson—“Rap for surveillanceware chaps in chat app voice yap trap flap”:

 All a snoop needs to do is make a booby-trapped voice call to a target’s number, and they’re in. The victim doesn’t need to do a thing.

[It’s] a classic buffer overflow weakness. … The attacker has to carefully manipulate packets of data sent during the process of starting a voice call. … When these packets are received by the target’s smartphone, an internal buffer within WhatsApp is forced to overflow, overwriting other parts of the app’s memory and leading to the snoop commandeering the chat application.

This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information. … This exploit would be perfect for a nation’s spies keen to pry into the lives of persons of interest. After all, why bother cracking … encryption when you can overflow a buffer and hack the code itself?

Who could such a company be? … It’s believed NSO Group built the exploits and surveillanceware used. [It] ostensibly only [allows] Pegasus … to be used to snoop on and snare criminals and terrorists.

Tell me about this patch. Here’s the WhatsApp security advisory:

 CVE-2019-3568 … A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.

The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

So that’s alright, then. A slightly sarcastic Ivan Topolsky—DrYak—recommends not using WhatsApp anyway:

 But … but … but … The ads were saying that WhatsApp uses encryption from Open Whisper systems !!! It must be secure !!! /s

No, it’s not. WhatsApp isn’t opensource, you don’t control its code. Also, the [OS] it’s running on isn’t opensource either, you still don’t have any control on its code.

Applying OpenWhispers/Axolotl to WhatsApp doesn’t actually make it a real end-to-end encrypt – as you don’t control your end. It just makes a fancy buzzword for the marketeers.

How would I know I was targeted? Eva Galperin—@evacide—suggests an indicator of compromise:

 What are the IOCs? Repeated WhatsApp calls from a number that is not in your contact list that crashes the app.

NSO Group has been bragging that it has no-click install capabilities for quite some time. The real story here is that WhatsApp found the damn thing. … They’re certainly not the first to have gone looking for it.

Pass the aluminum millinery. NATTtrash conspires to theorize: [You’re fired—Ed.]

 It was bound to happen, wasn’t it? So many … politicians moaning about the fact that … we really, really needed a “governmental backdoor,” or an “encryption with decryption keys supplied to us to safeguard the world.”

Well, it has been quiet for a while on that front, and I suppose we now know why.

And as for NSO? Ronald Hendricus—JaredOfEuropa—opines thuswise:

 As for NSO, they are not one hair better than a blackhat selling zerodays to scumbag governments. The only difference is that they have a letterhead.

But can anything be done about it? Alex Stamos has this modest proposal:

 Since the Israeli government seems unlikely to rein in this company … it’s time to use the US legal system to do so:

1) APPL, FB and GOOG should fund lawsuits under civil CFAA by victims.
2) FB and GOOG should sue for trademark infringement.

Trademark infringement? Yup, @citizenlab found that NSO Group registered trademarked domains with the explicit goal of tricking consumers. There have also been reports of NSO Group distributing backdoored applications, which would be both a copyright and trademark violation.

Would they win? I really don’t know. We certainly can’t completely shut down the global trade in offensive technologies used against activists and journalists, but we can try to make it unwise to conduct this trade in the open and with US offices.

Microsoft has demonstrated the value of corporate lawfare against bad actors.

Where have I heard of NSO before? Filip Truta reminds us:

 NSO Group has been in the news before for its powerful surveillance tool capable of collecting data from a target device, including through a device’s camera and mic.

In 2016 it was revealed that NSO’s flagship software known as Pegasus was being used to target human rights activist Ahmed Mansoor in the United Arab Emirates. His device, an iPhone 6, had been targeted by means of a clickable link via SMS.

The group said in a statement: “After a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. … Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization.”

Amnesty International has prepared a petition asking Israel’s Ministry of Defense to revoke NSO’s license to sell its surveillance software.

Meanwhile, the iOS App Store still isn’t offering the fixed version automatically! So entropy_ offers this workaround:

 You need to go to the app store app, then the Updates tab, and pull down to refresh (yes, the Updates tab, not WhatsApp listing in the store). When you do that, you’ll see the newest version becomes available for update.

This happens whenever an update is set to phased release and hasn’t reached 100% yet.

And Finally:

Scallion Shimmer System SG

“An original visual/music experience realised by purely electronic means. The entire video production is realised by video synthesis techniques. … The concept of the work was built up from the visuals up rather than by creating a composition using the music track as a reference. The entire work is an experiment in videographic dimensionality. It is the realm of the electronic video image that is the directive force behind the work.”—Jeffrey Siedler a/k/a Jeffrey Plaide


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Michel Müller (Pixabay)

Featured eBook
Doing Identity Access Right

Doing Identity Access Right

Caring for your company data as one of your most valuable assets can seem like a constant balancing act. In a world of corporate hacks and ransomware, keeping your data under digital lock and key is absolutely essential. But so is allowing your employees to use it to do their best work. Managing who has … Read More