A couple of days ago WhatsApp confirmed that its service was compromised in India and more than 1400 users were being spied upon. These users included prominent politicians, journalists, and activists. Right now, the blame is being put on an Israeli cybersecurity firm — NSO.
While there will be some kind of litigation process, suing the intelligence company is going to be tedious. It is also well known that NSO exclusively sells its spyware (spy software) to governments only. It’s impossible to point a finger towards the culprit, but we need to ensure that our modern means of communication continue to remain safe.
However, there’s more to the story than it meets the eye. Obviously, WhatsApp is here to blame for the security vulnerability the obvious source of concern will be the fact the service is claimed to be one of the most secure platforms with end to end 256-bit encryption. Then, how was someone able to snoop so easily?
So what happened?
- The spyware used in these attacks is called Pegasus and it’s capable of collecting historic on-board data, continuously monitor activity, and transmit this data to a third party. It can be installed by multiple methods like phishing text messages that trick users into clicking a particular link, using the over-the-air update system, and more.
- In the case of WhatsApp, it used a vulnerability in the app that allowed infection through missed video calls. This security gap was plugged by the app back in May this year. India wasn’t the only target though, Reuters reports that government officials in more than 20 countries have also been targeted via this method.
- As a first step, WhatsApp says it has directly reached out to the affected users and patched the vulnerability. The company also stands firm that its end-to-end encryption was never compromised and that the spyware leverages flaws in the operating system to target the user.
- End-to-end encryption ensures that every bit of data sent from your phone is “encrypted”, or in other words, broken down into small pieces like a puzzle. This puzzle is then “decrypted” or put together on the receiver’s device. To decrypt data, a key is required and that’s privately stored as well as dynamically changed periodically. This ensures that no third-party is able to access your data while its in transit over the internet.
If encryption was working fine, how was Pegasus able to constantly access data?
- Pegasus is meant to infiltrate smartphones silently and experts say it can evade forensic audits, anti-virus tests, and even self destruct if required. WhatsApp’s video call was just a medium to access the phone, it was ultimately able to function because of gaps or vulnerabilities in the core operating system.
- Operating systems affected here include Android, iOS, Symbian, as well as BlackBerry. It’s worth noting that BlackBerry OS has a reputation of being rock-solid as far as security goes and is actually trusted by governments and security establishments around the world, so the fact that it managed to bypass it means this is a huge security risk.
- WhatsApp’s encryption is irrelevant in this case because Pegasus doesn’t actually break it. Hackers are able to see whatever is on your phone as you see it — data is already decrypted and in a readable format.
- OS makers are already aware of Pegasus’ existence. Google calls the spyware Chrysaor and has a detailed page available on it. Apple’s iOS was proven to be affected way back in 2016 and iOS security update v9.3.5 patched all vulnerabilities that let Pegasus survive. However, the attack did prove that even a closed ecosystem like that of Apple can be compromised, without a hint.
How can you stay safe?
- Firstly, stop blaming WhatsApp. Researchers are confident that any other instant messenger that’s touted to be more secure, like Signal or Telegram, would face the same conclusion. The standard industry encryption practices are safe enough. Though yes, WhatsApp needs to buckle up and ensure there are no more mediums or open gateways for hackers to exploit.
- Google recommends you continue updating your device to the latest security patch, obviously. But also goes onto mention that apps on Play Store are scanned for the presence of Pegasus and are safe. Meaning, refrain from installing .apk files and only rely on trusted marketplaces to install new apps.
- Don’t fall victim to Phishing. In simpler words, click on the links you trust. If some randomly forwarded messages on WhatsApp say you’ve won the lottery, you definitely haven’t. Look at the URLs and only tap on identifiable sources. Browser-based vulnerabilities are widely common, and if not Pegasus, there are chances you may fall victim to simple online fraud
Originally published at https://warpcore.live on November 6, 2019.
Words by Shivam Vahia