WhatsApp hack: are our messages really never private?

You probably know that last week, WhatsApp was at the center of a controversy following the revelation of a major vulnerability in the messaging application.

The security flaw in question exploits what is called a buffer. overflow to allow an attacker to install spyware on the target device and subsequently access a large amount of personal data; calls, texts, photos, location and other data on the handset, as well as the ability to activate the phone's camera and microphone for real-time monitoring activities.

This attack reportedly used spyware referred to as Pegasus – other information about it soon – that allows your phone to be infected via a simple WhatsApp call, which does not even need to be answered .

Just call to switch and, after gaining access to the device, the attacker can change the call history to hide his malicious activities.

The good news (relatively speaking) is that WhatsApp has already fixed this security hole. . The bad news is that many people still have not updated the fixed version of the application.

From a more general point of view, this incident also makes us wonder if encrypted messaging services such as WhatsApp may be secure enough to protect personal communications and data.

Pegasus and the group NSO

break down this attack a little more detail. How it works? The hacker modifies the data packets sent during a voice call to the victim, causing an internal buffer to be overflowed in the WhatsApp application (hence the name "buffer overflow attack"), overwriting thus some of the memory and thus avoiding the security of the application, allowing the hacker to access the phone.

This access is then used to install spyware, which would be Pegasus spyware produced by the NSO group, according to the Financial Times. Note that this is not yet clear, and that NSO is currently investigating the issue.

Also, as TechCrunch points out, even though Pegasus is used here, NSO itself is not behind any attack, but rather the customer who purchased the group's software.

NSO further emphasizes that it uses a "rigorous" accreditation and verification process and investigates "any credible allegation of abuse and that, where appropriate, we take action, including stopping the system. ".

If Pegasus is new to you, NSO sells spyware as a countermeasure to fight terrorism and crime. The company explains, "We provide the tools that help the official authorities to legally deal with the most dangerous problems in the world today. Governments use our products to fight terrorism, dismantle criminal operations, locate missing persons and badist search and rescue teams. "

When a "good" spyware is spoiled

In theory, Pegasus is used to compromise the devices of terrorists and criminals, thus facilitating surveillance so that the world remains safer place. Pegasus uses similar tools that also exploit vulnerabilities or backdoors, but the problem is that such spyware still has the potential to be misused.

Oppressive regimes can potentially use powerful spyware to control citizens, and possibly even extirpate dissidents, spies political opponents or human rights activists – the sky is the limit as to how that these spyware can be abused (or maybe the bowels of hell would be a more appropriate limit, as we look down on it

And even though it is presumed that Pegasus would have had successes, such as the arrest of the Mexican drug lord Joaquín Guzmán, there is also a lot of negative press circulating (and this is indeed the case with other spyware used by the state). In mid-2016, we reported that Pegasus was being used to target human rights activist Emirati Ahmed Mansoor.

At the end of 2018, a Saudi dissident filed a lawsuit against Pegasus, alleging that he had been used against the murdered journalist Jamal. Khashoggi and Amnesty International have filed a lawsuit claiming there was "an abundance of reports of governments deploying the Pegasus spyware platform to monitor human rights defenders" ".

Of course, all this deserves reflection while it is globally disturbing from a global point of view, what about the smaller one? Should the WhatsApp incident give the average person a source of concern for the security of their personal data when using WhatsApp or similar messenger services?

(Image: © Alex Ruhl / Shutterstock.com)

Can Encrypted Messaging Services Really Be Secure?

This question may be of concern to you as a result of the revelation of the WhatsApp security breach.

– the final encryption, which allows users to feel safe. As the company explains on its website, "just like your messages, WhatsApp calls are encrypted end-to-end so that WhatsApp and third parties can not listen to them."

And that is true – every message or call is unique and transparently encrypted so that the content can only be read or heard by anyone other than the sender / l '. calling and the recipient.

However, this encryption does not mean anything if the software itself has a vulnerability that can be exploited to install spyware which effectively corrodes the entire device is open, as it is the case with WhatsApp.

More generally, the question is: can software really be secure? It is obviously impossible to give guarantees on this front, so the short answer is no; not really.

Etienne Greeff, CTO and co-founder of SecureData, told us: "The underlying operating systems may seem very secure, like iOS, but the entire ecosystem, including all applications of the operating system, is complex and complex. complicated, it becomes very difficult to have complete security. In addition, only a few of the "zero-day" security tools used to secure these complex systems would have been effective.

We asked Greeff to explain a little bit why the "zero-day" security tools mentioned above – that is, typical antivirus / security applications – would have been ineffective . He explained, "The memory space of Android is such that no other process can access the memory of other processes. At best, these tools verify that they are not themselves a virus … In the case of the WhatsApp problem, this feature was exploiting this application would have been opaque compared to other alleged security tools, because of the limitation of the memory. "

Daniel Follenfant, Director, Penetration Testing, Consulting Services NTT Security, underlined that securing applications was a constant struggle, and that if they were perfectly leakproof, we obviously would not need to update them permanently with security patches.

Follenfant pointed out that "any Windows user will have seen patches happen all the time, but we still believe that they will monitor security vulnerabilities and fix them, as WhatsApp did."

"We must remain confident that sellers will do it. To monitor and review these vulnerabilities, nowadays, competition and application revenue mean that if you (as a provider) are not perceived as a positive action, you will lose your users and move on to other thing.

It's Clear that Businesses A promising protection for your sensitive data such as WhatsApp should be at the forefront of security and must act quickly to minimize the damage caused by a security breach, with quick fixes, such as was the case here.

) even more positive, in terms of potential damage, we must keep in mind that the WhatsApp attack was not a scattergun-like campaign spread across all locations, unlike most malicious programs. We are talking about targeted victims selected from among the victims of a sophisticated attack, including lawyers and journalists.

As The Guardian reports, to date, a human rights lawyer and a researcher for Amnesty International are among the known targets. .

It is therefore likely that unless your work is going in the same direction and involves sensitive or potentially interesting data, you are probably not targeted. Obviously, only a small number of people have been affected anyway, and although the exact number is unknown, it is a figure of "at least a dozen people" according to a WhatsApp spokesperson.

There is no way to know for sure that your your account has not been compromised, but remember that if you do not receive a WhatsApp voice call from # 39; an unknown number (or an interrupted call), you are probably in the clear.

Even if you're not likely to, however, the prospect of spreading spyware as invasive via a secure messaging application remains very worrisome. The problem is that popular encrypted messaging services such as WhatsApp, which has 1.5 billion users, represent such an important and lucrative target for those who are highly motivated financially.

These types of services will therefore inevitably be questioned about the vulnerabilities of unplugged hackers who, if they find a feat, could use it to provide a sophisticated form of spyware that incorporates powerful monitoring capabilities and capability to operate furtively on the device of the victim.

Etienne Greeff observes that the WhatsApp incident "shows the effects of very large pockets of state on ordinary citizens."

"The NSO group exists because governments and public bodies have the capacity to pay six zero-day sums that they can use for their own political purposes. Ordinary people and reverberates on civilian life as we have seen with Khashoggi and others. "

(1965 Image: © Pexels) [19659051] What can you do to keep your data safe?

As always, you must always keep your operating system fully up to date, as well as all installed applications. In this case, the WhatsApp application has been quickly fixed to make it secure, but it is vulnerable to the security vulnerability, unless you run at least version 2.19.134 on Android or version 2.19.51 on iOS. (Read our guide on how to update WhatsApp if you do not know how to do it.)

What is worrying is that despite the seriousness of this incident, many people do not know it. still have not updated – as of May 17, according to the Wandera security company, 80% of iOS devices have not been updated, citing data relating to their customers' phones .

So, whatever you do, all your applications must be constantly up to date. date and execution of the latest version.

Beyond that, it is good to use your common sense when it is sensitive material. If you do not have to share it via an online email service, do not do it.

Regarding this particular incident, we also learned to be wary of mysterious missed calls, as well as all the usual animal feeds – suspicious links, questionable attachments, and so on. "

As another general precaution, Daniel Follenfant also reminds us that we must avoid reusing pbadwords.

" It should always take into account the use of the same pbadword For example, if you use a fishing forum to which you connect and you use the same pbadword for Amazon, an attacker would not attack Amazon, they would target the least secure forum. "

" When you are notified that the forum has been violated, you can reject it as "it's only the fishing forum." However, the attacker can then try your information on Amazon and access it. ideal world, all identifiers must have a unique pbadword. "

And an easy way to achieve this, of course, is to use a pbadword manager.

Otherwise, you can still keep your phone in a refrigerator, as Edward Snowden has particularly insisted that some lawyers had met him in Hong Kong in 2013.

Although he brought a new meaning to the term "icy reception", Snowden's strange behavior had nothing to do with the cold, but rather the properties of the refrigerator walls.Made of metal with thick insulation, the refrigerator was the perfect solution to block radio signals and therefore any potential surveillance from a compromised smartphone.

An extreme measure, of course, but an interest g an overview of the type of length that a target as large as Snowden could reach in order to preserve their safety.

Given the speed with which hacking and covert devices seem to be moving forward these days, ordinary citizens could even be forgiven for taking more drastic action to ensure that their communications and data are also as secure as possible. [19659065] [ad_2]
Source link