The story so far: Earlier this week, The Guardian published a report on the alleged hacking of the personal phone of Amazon founder Jeff Bezos (in 2018). Cyber-forensics firm FTI Consulting, which has been investigating the issue, has attributed this attack to the Saudi regime. Parts of this alleged incident are eerily similar to the infamous Pegasus case. Though the report released by FTI has been criticised by many in the information security industry — for falling short of investigative standards and technical rigour — the mere possibility of such an incident having occurred does raise several important questions on application and device security.
What has been the global impact of the vulnerabilities discovered?
Multiple security vulnerabilities affecting WhatsApp were discovered, disclosed, and patched in 2019. Out of these, one vulnerability in particular, disclosed in May 2019, garnered significant media attention — primarily due to its role in aiding the delivery of spyware known as ‘Pegasus’. The company behind Pegasus, Israel’s NSO Group, claims to equip “authorised governments” with “technology that helps combat terror and crime”. According to WhatsApp, the spyware was deployed on at least 1,400 targets, including lawyers, activists, dissidents and diplomats. The Pegasus spyware is also known to have been used against several Indian journalists and activists.
In recent memory, the Pegasus incident remains perhaps the most stark example of how security vulnerabilities in popular software can compromise the security of users, though it is far from the only such case. In 2019 itself, at least two other security vulnerabilities — which could have allowed attackers to remotely execute malicious code on victim’s devices — were discovered and patched by WhatsApp. Attackers could have exploited these flaws by sending specifically crafted GIF files or MP4 videos, requiring little to no interaction on the part of the victim.
What is a buffer overflow? How does it affect WhatsApp?
Buffer overflows allow attackers to read or write data outside of the defined memory boundaries of a particular programme. Though mitigative measures exist, buffer overflow vulnerabilities in general are complex, and are considered to be harder to detect and exploit than other, more frequently occurring security flaws. In some cases, buffer overflow vulnerabilities can be leveraged for executing malicious code on the target machine. A buffer overflow vulnerability in an application such as WhatsApp would allow an attacker to take advantage of the context under which the application is running on the system. Though a vulnerability in WhatsApp alone would not suffice for total compromise of the device, here, the protections offered by end-to-end encryption on the platform would be rendered ineffective — since end-to-end encryption only refers to message contents being encrypted while they are in transit — and since, with a buffer overflow, an attacker would be able to get access to the buffer where data (including received messages) is stored. By exploiting such a flaw, permissions that have been granted to the app, which may include permission to access the device’s microphone, camera, location, gallery and more — also stand to be exploited, though protections baked into mobile operating systems may make this harder to achieve.
Can a buffer overflow in WhatsApp result in the phone on which it is being run being compromised?
Modern computing devices, including smartphones, implement a number of security measures to effectively contain the extent of a program’s ability to interact with machine it is running on. One such measure is known as a “sandbox”, which limits the ability a program or process has to interact with operating system code. However, it is possible to bypass such protections, too. It is possible to “chain” a vulnerability in software such as WhatsApp — with a vulnerability in the device’s operating system — escaping the sandbox within which it is run, to ultimately gain “root” privileges on the affected system. Exploitation of sandbox and kernel vulnerabilities is also what allows “jailbreaking” to be performed on devices. Root access on a device grants the attacker with the highest level of privilege that can be held on the system. This would allow the attacker to circumvent most (if not all) software restrictions imposed on the device. This level of access is also essential for deploying tools that can freely access or modify data on the device, alter core functionality, and more.
How is data extracted from a device?
Traditionally, upon infection, infected devices communicate back to a “command and control” server. Since a lot of the files on a device may be junk, or of meagre value, an operator would choose what kind of data they wish to retrieve. To thwart the possibility of detection via unusual spikes in bandwidth usage, an operator may choose to extract only information of vital importance. Further, since stealth is ideal, outbound data may be transmitted through alternative channels, make use of obfuscation or encryption, among other techniques, to prevent detection. Alternatively, an attacker with access to a device may choose not to extract information at all, instead choosing just to “view,” this information by accessing it through an SSH tunnel.
How can users protect themselves?
A matter of relief is that vulnerabilities such as the ones that have been discussed above are not easy to come by. They are discovered as a result of continuous, concentrated efforts and arduous testing. Similarly, the people who discover these flaws have an active natural interest in retaining knowledge of just how the flaw works. Facilitators such as the NSO Group do not just relay information about their “proprietary” vulnerabilities to customers. They instead opt to perform the exploitation themselves, and thereby ensure that customers are not able to infect devices without having them in the loop.
For most users, following basic security hygiene, such as not visiting untrusted websites, installing untrusted third party applications or certificates, keeping device and application software updated, should be enough. People must remember that WhatsApp is not the only method of delivery for complex attacks. Vulnerabilities exist which can allow for escaping the sandbox of mobile browsers to execute code on the system. Though, it should be noted that highly specialised attacks, such as Pegasus, have not been known to “indiscriminately” target users. This is primarily because of the risk of detection that widespread exploitation would invite.
Further, though no software update can eliminate entirely the prospect of future vulnerabilities being discovered, frequent updation may incapacitate certain exploits, that is due to the fact one vulnerability may not always work in conjunction with another.
For those with an elevated threat profile, simply keeping your phone updated may not always be a definitive way of preventing attacks. Devices can be compromised in a variety of ways, especially given that the adversary has enough time and resources. Device security must be extended to include monitoring — not only superficial monitoring, which relies on known signatures and vulnerabilities — and not only that which occurs after an indicator of compromise has been spotted.
Karan Saini is a Bengaluru-based security researcher with an interest in network and application security