What’s Up, WhatsApp?

First things first, have you updated WhatsApp on your phone? Yes, good, let’s move on.

The latest revelations about the security flaw and the seriousness of it should not be underestimated. A call could be placed to your phone via WhatsApp and inject code into your device that in turn would allow the execution of code that could access the full span of the device and even remove the evidence that the inbound call with it’s nefarious payload had ever been made. You would likely never know.

WhatsApp is well funded, practices modern development techniques and fills a necessary niche allowing multimedia phone messaging in an environmentally agnostic way. On a technical level, it is based upon the open standard Extensible Messaging & Presence Protocol (XMPP). I’m sure they diligently undertake test driven development and undertake extensive testing, so what went wrong? Did anything go wrong?

While it’s easy to have a kneejerk reaction and blame WhatsApp or the organisation that orchestrated and exploited the vulnerability [NSO Group, the Israeli security firm] and remove WhatsApp and implement draconian security policies on devices that prevent any apps from being installed. No application, or device is unbackable, and hackers are finding new and novel ways around device and application security all the time. Lockdown type security policies are unlikely to have the outcome you would desire. Every time rigid policies are implemented, antipatterns emerge potentially resulting in greater risks, unless of course you are the likely target of spear-phishing.

The relatively good news is that the likely targets are the politically exposed, global pollical journalists and specific targets, unlike with a widespread virus such as NotPetya. Where it was clear that NotPetya was an attack on the Ukraine, its impact was directly felt worldwide and without prejudice impacting on the operations of the worldwide shipping company Maersk and a New Zealand based Chocolate manufacturer equally. {Wired.com has an excellent longform on this here).

If, however, you’re your unfortunate enough to be in the categories indicted, it might be wise to get a new phone and start a fresh, and adopt those draconian measures talked about.

WhatsApp exists in a privileged position, being used by over 20% or the world’s population. With that position, as the cliché goes, comes great responsibility. The messages are also encrypted end-to-end, this was not compromised. (detail can be found here), however messages could be intercepted once decrypted on the devices.

Like almost all software build today, it is dependent on common modules provided by the platform (Android, IOS) and the open source community. The software stack used, irrespective of source, can introduce attach vectors, and these become exponentially more difficult to trap, the more code that is used. If full device security is of paramount importance, then the assumed endpoint trust relationship that WhatsApp creates is perhaps not the application for you. What is meant by this, is that, much like a phone call, if the number is right, then the call will be placed or the message sent along with any payload.

Specialist applications exist that allow for secure messaging based on pre-shared key mechanisms, such as is used by organisations such as WikiLeaks to ensure security and anonymity. These are typically based on the well known PGP.

In recent news, where might this security flaw have had an impact? I can think of a few

• The murder of Jamal Khashoggi (link)
• An unnamed UK based human rights lawyer suspected they were a target (link)
• A Mexican journalist was killed and colleagues hacked (link)

While all of this can feel conspiratorial in nature, if true, shows the real world impact that targeted attacks can have when deployed.

Organisations can adopt security best practices with sound hardware, software and patch lifecycles and minimise their exposure technically. The greatest exposure risk remains through social engineering and companies should train their people to understand and recognise social engineering techniques. ESecurityPlanet has a great guide to basics of social engineering defence (link)