On May 13, Facebook announced a vulnerability in its popular WhatsApp messaging service. This attack was first disclosed (requires a subscription to view) by The Financial Times who claim that the vulnerability has been open for weeks. The WhatsApp vulnerability allows attackers to install spyware on smartphones by simply placing a voice call to WhatsApp on the device. Users do not need to answer the call for the spyware to be installed. The vulnerability applies to both iPhones and Android phones.
Once the call is made, software can be automatically installed on the smartphone. This software can extract all data from the phone, including texts, emails, contacts, browser history, location data, and more. The software used in the attack is called Pegasus, which is made by the Israeli firm NSO Group. While it is unknown how many users have been affected, journalists and human rights activists seem to be most targeted.
The software uses specially crafted secure real-time transport protocol (SRTCP) packets which take advantage of a buffer overflow vulnerability in the WhatsApp voice over IP (VoIP) code. The technique used in the hack makes devices vulnerable even if users do not answer the voice call.
Facebook alerted U.S. law enforcement last week and has since addressed the issue on its server side. The server-side fix eliminates an attacker’s ability to infect phones on a go-forward basis. Additionally, Facebook has issued an update to the app which adds extra security mechanisms in response on the user end. The company is strongly recommending that all WhatsApp users update their phones with the latest software version, for extra protection. Updated versions of the app are available in Apple’s App Store and Android’s Google Play Store.
ACA Aponix Guidance
ACA Aponix recommends taking the following actions regarding the WhatsApp vulnerability:
- Immediately update WhatsApp to the latest version.
- Inform staff of this vulnerability as relates to personal devices and “bring your own” devices used for work purposes.
- Monitor all devices and company data repositories for unusual activity.
- Those who might have been targeted by nation-state attackers should consider wiping their phones.
How ACA Can Help
ACA Aponix offers the following solutions that can help your company ensure strong security in light of the vulnerability:
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.