Israeli Firm Tied To Tool That Uses WhatsApp Flaw To Spy On Activists (bbc.com) 95
An anonymous reader quotes a report from The New York Times: An Israeli firm accused of supplying tools for spying on human-rights activists and journalists now faces claims that its technology can use a security hole in WhatsApp, the messaging app used by 1.5 billion people, to break into the digital communications of iPhone and Android phone users (Warning: source may be paywalled; alternative source). Security researchers said they had found so-called spyware -- designed to take advantage of the WhatsApp flaw -- that bears the characteristics of technology from the company, the NSO Group.
The spyware was used to break into the phone of a London lawyer who has been involved in lawsuits that accused the company of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. There may have been other targets, they said. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp's engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint. WhatsApp engineers patched the vulnerability on Monday.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the Facebook-owned company said in a statement.
The spyware was used to break into the phone of a London lawyer who has been involved in lawsuits that accused the company of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. There may have been other targets, they said. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp's engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint. WhatsApp engineers patched the vulnerability on Monday.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the Facebook-owned company said in a statement.
It is just business (Score:5, Insightful)
Israeli, American, European companies have been at the forefront of the good fight of the government to spy on its citizens since forever.
The only way to stop it is to use your voting power to limit your government's desire to spy by keeping it YOUR government.
I know, I know, this is hard work.
Re: (Score:1)
take your meds
Re: (Score:1)
Dude, you should not stop taking your meds.
Re:It is just business (Score:4, Insightful)
Israeli, American, European companies have been at the forefront of the good fight of the government to spy on its citizens since forever.
It's a bit odd that you would omit China, the one that outclasses everyone else, by a large margin, when it comes to spying on its citizens.
Re: It is just business (Score:1)
Majority of gorvernments spy on their enemies, allies, and yes their citizens (including themselves btw). Everyone is guilty and America does not nor ever had the moral high ground.
I remember looking at a graph that America regulary hacks/spy into Japan more so than any other country.
Re:Take what you want (Score:1)
Re: (Score:2)
Against whom? USA for providing attack vectors in the form of buggy apps?
Details of the vulnerability? (Score:5, Interesting)
described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”
If that’s the case, what exactly would that remotely executed code be able to accomplish? On iOS at least the app is still sandboxed, so it wouldn’t get everything. But come to think of it, most people would have given it permission to access contacts and photos at least, as well as the WhatsApp messages themselves, which is bad enough especially in the context this vulnerability was used in. Does the vulnerability actually allow access to this data (and to what else)?
As for NSO, they are not one hair better than a blackhat selling zerodays to scumbag governments. The only difference is that they have a letterhead.
Target (Score:5, Insightful)
what exactly would that remotely executed code be able to accomplish? On iOS at least the app is still sandboxed, so it wouldn't get everything. But come to think of it, most people would have given it permission to access contacts and photos at least,
No further access needed, the sandbox is pretty much enough by itself:
The spying agency isn't interested in other application: they don't care about what dick picks these people are sexting around on Tinder.
as well as the WhatsApp messages themselves
Exactly, the spying agency is after what these people are trying to communicate within WhatsApp itself while relying on its botched implementation of OpenWhispers/Axolotl end-to-end encryption.
(SPOILER ALERT: WhatsApp isn't opensource, you don't control its code. The iOS it's running on isn't opensource either, you still don't have any control on its code. Thus applying OpenWhispers/Axolotl to WhatsApp doesn't actually make it a real end-to-end encrypt - as you don't control your end).
Re: (Score:2)
They probably had some additional zero-day exploits for the OS itself, available at extra cost of course.
Secure ! (Score:2)
But !... but!... but!... /s
The ads were saying that WhatsApp uses encryption from Open Whisper systems !!!~
It must be secure !!!~
(SPOILER ALERT: No, it's not. WhatsApp isn't opensource, you don't control its code.
Also, the iOS it's running on isn't opensource either, you still don't have any control on its code.
(At least you can run it on a full open-source AOSP Android, without any bit of proprietary Google Play Service required. But you're still at the mercy of the "modem-that-acts-as-the-chipset's-Northbridge" nightmare).
Thus applying OpenWhispers/Axolotl to WhatsApp doesn't actually make it a real end-to-end encrypt - as you don't control your end. It just makes a fancy buzzword for the marketeers to leverage).
Criminal (Score:2, Interesting)
If you or I did any of the things NSO is alleged to have done, we would be facing many years in prison for violating various hacking laws. Yet, when NSO does the same damn things, it is just "business". What is most astonishing is that an Israeli company allegedly helped the Saudi government in murdering and butchering Khashoggi, a journalist based in the US.
NSO needs to be held accountable for their sales of tools used to perform illegal hacking activities. NSO needs to be declared an enemy of the Unite