WhatsApp Update warning. The new WhatsApp attack targets groups and messages, forcing the removal of the group and reinstalling the application.
WhatsApp has endured a difficult 2019 on the security front, with stories of nation-state piracy campaigns and multiple vulnerabilities, even while fighting with governments and their agencies for their insistence on end-to-end encryption. Just when the year comes to an end, there is news of another security threat that has compromised the integrity of the platform.
The risk this time is of messages specially designed to “kill applications” that block WhatsApp with enough severity for users to disconnect and may have difficulty recovering.
Are You at risk?
WhatsApp has solved the problem: it did so in September when the cybersecurity researchers at Check Point first revealed it in private. But if you haven’t installed a new version since before, you’re still at risk.
Check Point “urges all WhatsApp users to update to the latest version of the application immediately.” WhatsApp also argues that the threat is obscure, which probably does not impact users in the real world. In this they are wrong and have lost the reason why the problem is so important and carries a potential critical risk.
To understand why that is the case, let’s look at the threat itself and how it works. The exploit is disturbingly simple. It is based on two separate security vulnerabilities in WhatsApp, both now patched. The first is that any user can be added to a group without consent, that user receives the messages sent to the group; The second is that metadata embedded in a message can be manipulated to break the WhatsApp phone application when that message is received. Combine the two vulnerabilities and you will get a terrifying new attack vector.
Let’s see how a bad actor of the nation state could exploit such vulnerability. If I have the phone numbers of a group of reporters, activists or dissidents, I can add those numbers to an unwanted group and then send that group an “application murder” message. I would do all that at the same time. The first thing an objective would know about the threat is when a harmless, probably socially designed, message from “WhatsApp Killing” is received.
As soon as that message is opened, WhatsApp will be blocked and will not restart until it is deleted and reinstalled. If users do not have current backups, their data will be lost. I could mount this attack before a protest or political event, or I could use it to disconnect one or more people.
The Check Point researcher, Oded Vanunu, explained to that these “application removal messages” present a critical risk, “denial of service scenarios have been seen before in WhatsApp,” he said, “but not where you need to uninstall the application.
This is very aggressive. Users who do not make backup copies will lose everything. Users who are not technical will no longer be able to activate WhatsApp. “
A WhatsApp spokesman said that the platform “greatly values the work of the technology community to help us maintain strong security for our users worldwide. We quickly resolved this problem for all WhatsApp applications in mid-September. We have also added recently new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties. “
WhatsApp does not know or will not share the percentage of its vast user base that has been changed to patched versions of its applications. This problem seems to affect Android instead of iOS. But that advice, to ensure that your messaging platforms are always up to date, must be followed by all users on all platforms.
This problem also highlights the vulnerability of the groups. Most of us now belong to countless groups, large and small. And many of those groups have growing or changing memberships. It is worth taking into account the number of groups to which it belongs, especially the groups that it does not recognize or that it no longer uses, how these groups are managed and even periodically verifying those membership lists.
How does it work?
The last vulnerability can be seen in the Check Point concept test video and in the message screenshot below, with the group chat message manipulated with erroneous metadata. When WhatsApp cannot process that data, it is forced into a shock cycle that affects all members of the group. No exit. “Group chat cannot be restored and must be deleted.” The application itself must be reinstalled.
The Check Point team has made the deconstruction of WhatsApp security a specialty. Vanunu indicated that they are investigating WhatsApp protocols “because their infrastructure allows malicious users to manipulate messages and distribute fake news; we wanted to understand how this is possible on an encrypted platform.”
The team says that WhatsApp provides threat actors with an additional weapon in their arsenal to take advantage of the messaging platform for their malicious intentions. “
“By sending this message,” Check Point explains, “the WhatsApp application will be blocked on each phone that is a member of this group.” Worse, the lock will be repeated every time the application is reopened, forcing all users to remove the application and then reinstall it. Beyond the denial of communications service, once you know that a user has been expelled from one platform, you can launch an attack against another.
Assuming I want to infect you, I know that my infection exploit only works in SMS, so I do your WhatsApp and then I upload an SMS to infect you.
This last problem comes immediately after others for WhatsApp, and is a worrying pattern. The highlight of the year was undoubtedly the alleged piracy of dissidents and activists by the Israeli spy software firm NSO, as I reported in May.
WhatsApp confirmed that the attack “would take over the functions of mobile phone operating systems.” There were material implications for the safety of lawyers, journalists and activists, and Facebook instigated legal action against NSO as a result of the attack to protect the integrity of its technology.
But that was not an isolated security breach. In October, it was reported that a WhatsApp crash that allows an attacker to use a “malicious GIF image” to potentially access user content. WhatsApp quickly patched the problem.
Then, in November, another reported that Facebook had silently confirmed another security vulnerability that would expose users to the risk of malware being installed on their devices through “specially designed MP4 files” sent via WhatsApp.
The company discovered and solved the problem before, he said, that any exploitation could take place.
What’s next for WhatsApp?
The team and owner of WhatsApp, Facebook, takes security very seriously, it is difficult to argue that it is “in its DNA” without doing so. And platform security issues are not unique. We have seen others exposed, particularly rival Telegram, and the standard SMS alternative is open to attacks. But WhatsApp has become the bearer of the mass market security standard, and that is why this affects so much.
WhatsApp has become and remains a target for threat actors due to its ubiquity. You can guarantee that it will be installed on a target device, and that makes finding your security vulnerabilities a valuable enterprise.