Wednesday, May 15, 2019

Whatsup WhatsApp

Discovered in early May 2019, patches released May 10 2019, and press reporting from May 13 2019, WhatsApp a messaging application for Smartphones has been severely compromised.

It seems although the Instant Messaging is protected by End to End encryption via the Signal Protocol, a buffer overflow can allow a back door allowing any or all data on the phone to be compromised.

From Facebook security:
(Since Facebook owns WhatsApp)

"The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15," 

Some Scary Stuff

- This is a buffer overflow vulnerability
- The exploit typically installs Pegasus Spyware
- The exploit works if a call is made to the target phone, the user does not need to pickup the call
- The spyware erases the call log, thus the user would be unaware of the issue

The CVE Process
CVE Common Vulnerabilities and Exposures maintains a database of issues that are reported to it.  They are also visible via NIST.  CVE is part of Mitre.

As I understand it for serious issues, details are not made public until a first fix has been made, tested and distributed.  Indeed at the time of writing on May 14th,  CVE-2019-3568 which describes this Whatsapp issue is merely reserved and there is no detailed public pronouncement of the issue or its resolution.

Learning Points
- Technology has many benefits. But also a few disadvantages.  Like being hacked.

- These are complex programming systems, and they can never be perfect, especially when new features and hence code changes are introduced.

- Android and Apple iOS already have automated application store update options

- When a vulnerability is discovered it is worked on immediately by responsible developers and then the fixed app is loaded to the Application store

- In parallel, actually possibly even before the fixes are fully released, the vulnerability is often made public on the CVE database

- If you choose to use the technology, and at some level you will and must in 2019, the best you can do for your Smartphone is to keep the Auto Updates switched ON.

- My Android phone updates in the early hours, every day.