Saturday, May 18, 2019

How Hackers Broke WhatsApp With Just a Phone Call | WIRED

How Hackers Broke WhatsApp With Just a Phone Call | WIRED




How Hackers Broke WhatsApp With Just a Phone Call

You've heard the advice a million times. Don't click links in suspicious emails or texts. Don't download shady apps. But a new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn't need to pick up to be infected, and the calls often left no trace on the phone's log. But how would a hack like that even work in the first place?

WhatsApp, which offers encrypted messaging by default to its 1.5 billion users worldwide, discovered the vulnerability in early May and released a patch for it on Monday. The Facebook-owned company told the FT that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears "all the hallmarks of a private company known to work with governments to deliver spyware." In a statement, NSO Group denied any involvement in selecting or targeting victims but not its role in the creation of the hack itself.

So-called zero-day bugs, in which attackers find a vulnerability before the company can patch it, happen on every platform. It's part and parcel of software development; the trick is to close those security gaps as quickly as possible. Still, a hack that requires nothing but an incoming phone call seems uniquely challenging—if not impossible—to defend against.

WhatsApp wouldn't elaborate to WIRED about how it discovered the bug or give specifics on how it works, but the company says it is doing infrastructure upgrades in addition to pushing a patch to ensure that customers can't be targeted with other phone-call bugs.

"Remote-exploitable bugs can exist in any application that receives data from untrusted sources," says Karsten Nohl, chief scientist at the German firm Security Research Labs. That includes WhatsApp calls, which use the voice-over-internet protocol to connect users. VoIP applications have to acknowledge incoming calls and notify you about them, even if you don't pick up. "The more complex the data parsing, the more room for error," Nohl says. "In the case of WhatsApp, the protocol for establishing a connection is rather complex, so there is definitely room for exploitable bugs that can be triggered without the other end picking up the call."

VoIP calling services have been around for so long that you'd think any kinks in the basic call connection protocols would be worked out by now. But in practice, every service's implementation is a little bit different. Nohl points out that things get even trickier when you are offering end-to-end encrypted calling, as WhatsApp famously does. While WhatsApp bases its end-to-end encryption on the Signal Protocol, its VoIP calling functionally likely also includes other proprietary code as well. Signal says that its service is not vulnerable to this calling attack.

According to Facebook's security advisory, the WhatsApp vulnerability stemmed from an extremely common type of bug known as a buffer overflow. Apps have a sort of holding pen, called a buffer, to stash extra data. A popular class of attacks strategically overburdens that buffer so the data "overflows" into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control. That's what happened with WhatsApp. The hack exploits the fact that in a VoIP call the system has to be primed for a range of possible inputs from the user: pick up, decline the call, and so on.

"This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days," says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. "Security never was WhatsApp's primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities."

The WhatsApp bug was being exploited to target only a small number of high-profile activists and political dissidents, so most people won't have been affected by any of this in practice. But you should still download the patch on your Android and iOS devices.

"Companies like NSO Group try to keep a little stockpile of things that can be used to get onto devices," says John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab. "This incident makes it abundantly clear that anyone with a phone is impacted by the kind of vulnerabilities that customers of these companies are slinging around. There's a reality here for all of us."


More Great WIRED Stories



Elyssa D. Durant 
Research & Policy Analyst

Thursday, May 9, 2019

Android Q gets the privacy controls Google should have added years ago

Android Q gets the privacy controls Google should have added years ago
Just a few of the bizarre sites that were running in the background charging thousands of dollars since I became public enemy number one. 

All activists and journalists are the horrible people who are hurting Trump's fee fees. 

When Trump cried about Obama "tapped his wires"  and whines about FISA and I was embarrassed for him. 

How can he control nuclear missiles and be totally ignorant of NASA and Surveillance and the telecom act and the digital transition mandated by the FCC which had more to do with creating an extensive seamless network to track and monitor we the people and listen to our  most private movements and activities on in our own homes and every public space from CVS to Target or city park 

To. Be continued. I have to take an Uber to  take me to get another burner. Apparently LulzSec JS. And and I'm too exhausted to deal with the help-LESS desk. 







Android Q gets the privacy controls Google should have added years ago

Android Q gets the privacy controls Google should have added years ago

As tech giants come under fire for facilitating the widespread collection and sale of personal data, Google has read the room and will add new privacy features to Android. In the next version of the operating system, called Android Q, apps will need explicit permission to track users' locations while running in the background. Android Q will also limit access to hardware information (presumably to stop device fingerprinting), and will no longer track "affinity" for contacts, which means apps won't be able to see who users interact with the most.

Apple has already adopted many of these features in iOS and MacOS as the company turns privacy into a key selling point. Most notably, iOS users have been able to limit background location access since 2017, while Android's location access has been all-or-nothing. As the New York Times reported in December, popular apps like The Weather Channel and TheScore have in turn been selling that location data to marketers. With U.S. lawmakers starting to think about new privacy laws, it behooves Google to get in front of the issue.

Having said all that, Android phone makers have a poor track record of updating their software in a timely manner, if at all. Unless you're using one of Google's Pixel phones, which can now beta-test an early version of Android Q, you might not see these privacy improvements for quite some time.



Elyssa D. Durant 
Research & Policy Analyst