You may have seen the numerous press articles this week advising you to update your Whatsapp. The advice came from Whatsapp, which has 1.5 billion users and is owned by Facebook.
The reason for asking people to update the app on their smartphones was the discovery that hackers had been able to remotely install surveillance software on phones via a “major vulnerability” in the app. According to the BBC, WhatsApp said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber-actor”.
Facebook discovered the flaw in the technology earlier this month. It threatened to break Whatsapp’s promise to its users of being a secure” communications app with messages that are end-to-end encrypted. This means they should only be displayed in a legible form on the sender or recipient’s device. However, the surveillance software would have let an attacker read the messages on the target’s device.
The Whatsapp team found a fix for the problem last Friday, after which people could download the new app without the ‘bug’, although some users appeared to be disgruntled that Facebook hadn’t published any notes about the fix itself.
It is likely that those whose phones may have been targeted by the hackers are “Journalists, lawyers, activists and human rights defenders,” Ahmed Zidan of the Committee to Protect Journalists told the BBC.
How did hackers use the security flaw?
One thing they did was use Whatsapp’s voice call function to ring a target’s phone. Even if the target didn’t answer the call, the surveillance software was installed on their phone. Furthermore, the call was removed from the call log, so the person who didn’t answer it, wouldn’t even see that they had missed a call from an unknown number.
Facebook and Whatsapp told the press on Monday: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
It also issued a briefing to security specialists stating, “”A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
The attack was old-fashioned
As Professor Alan Woodward pointed out, this is a “pretty old-fashioned” method of attack. He explained what happened: “A buffer overflow is where a program runs into memory it should not have access to. It overflows the memory it should have and hence has access to memory in which malicious code can potentially be run. If you are able to pass some code through the app, you can run your own code in that area. In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work.”
We don’t know how many people were targeted in this attack, and there are some questions that remain to be answered about whether updating the app on your phone effectively removes the spyware in its entirety. Furthermore, WhatsApp has not said whether the attack could extend beyond WhatsApp and reach other personal data on the phone.
But, even if you are not a journalist, a lawyer or a human rights activist, download the new version of the app, because as always it is better to be safe than sorry.