Software bugs can be annoying. They come in many forms, and most of the time, they can be present for a long time before being discovered.
This was experienced by WhatsApp, which offers encrypted messaging by default to its more than a billion users. The company discovered and fixed a bug that allowed hackers to spy on targeted phones and steal data from them, by just calling them.
Targets didn't have to pick up the phone to be infected. As a matter of fact, the calls can leave no trace on the phone's log.
The Facebook-owned company said that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears "all the hallmarks of a private company known to work with governments to deliver spyware."
It's reported that the notorious Israeli spy firm NSO Group had a role here. NSO denied such claim, but however, not on its role in the creation of the hack itself.
The spokeperson for the company said that:
“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”
The issue here is called zero-day bug exploit.
This is a kind of bug in which attackers find the vulnerability before any company can patch it. This happens so frequently on every platforms.
In WhatsApp' case, hackers were reportedly able to remotely install spyware on phones and devices by just calling the target. NSO’s most prominent product is Pegasus, and this spyware is said to be used in the attacks, allowing hackers to access target phones' microphone and camera, while also accessing location data, emails, and other data.
Facebook confirmed the attack in a security notice, noting that it affected WhatsApp for Android prior to v2.19.134.
Other affected versions include WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
According to the report, the attack took aim at a small number of high-profile activists and political dissidents, including a human rights lawyer, who reportedly later, helped several people sue the NSO Group in Israel.
In the days where cybersecurity is becoming increasingly important, people are taught to never click on suspicious emails, or download shady apps not from their phone's legitimate app stores. But this WhatsApp zero-day bug which required nothing but an incoming phone call, would be challenging - if not impossible - to defend against.
WhatsApp rather keeps the details to itself, but according to Facebook's security advisory, the vulnerability stemmed from an extremely common type of bug known as a buffer overflow.
Here, apps have a sort of holding pen, called a buffer, to stash extra data. And a popular class of attack can be tailored to strategically overburdens that buffer so the data "overflows" into other parts of the memory.
This can cause apps to crash or, in some cases, give attackers a way to gain control of the target device.
VoIP calling services have been around for so long, and can be traced back to the days that made Microsoft Skype popular. But that many years haven't really secured the protocol because in practice, every service's implementation is a little bit different.
WhatsApp, while seem to be user-friendly and easy-to-use at the frontend, the system which works in the backend is actually rather complex.
First of all, the service uses end-to-end encryption which make things tricky. And second, with the more complex data parsing, the more flaws that could be discovered. And here, the system somehow gave room to an exploitable bug that can be triggered without requiring the user to pick up any incoming call.
This isn't the first time NSO Group surfaced in the news.
In fact, the company is said that have previously created software used by the Saudi Arabian government to spy on murdered dissident Jamal Khashoggi. The Saudi journalist is said that have been dismembered in the Saudi consulate in Istanbul in 2018.