| New Delhi |
Published: January 23, 2020 2:03:01 pm
The hacking of Amazon CEO Jeff Bezos’ phone via a video file sent on WhatsApp has raised a lot of questions, especially regarding the safety of the messaging platform. After all, the world’s richest man and one of the most powerful business leaders had his entire personal data stolen thanks to a video file sent on WhatsApp by an account used by Crown Prince of Saudi Arabia Mohammad Bin Salman. Saudi Arabia on its part has denied the charge that the Crown Prince sent the message.
The Bezos incident is also not the first time that WhatsApp’s security has come under fire. In May 2019, it was reported that a bug or flaw in WhatsApp voice and video protocol had allowed for a sophisticated spyware called Pegasus to be deployed in a various countries to carry out unlawful surveillance.
Pegasus spyware is made by Israeli cyber-security firm NSO Group. In October 2019, WhatsApp sued for NSO Group for violating its terms of service and using its platform to spread the spyware. The cyber-security firm has always denied the charge, including the recent one about the Amazon founder’s phone hacking.
The WhatsApp MP4 file flaw
In Bezos’ case, a different flaw in WhatsApp was used to exploit and hack into the phone. While Pegasus was most likely the spyware used to steal Bezos’ data, according to the UN report, the mode of delivery for the spyware was via a different vector.
The issue with the video files was acknowledged by Facebook and WhatsApp back in November 2019. But Bezos’ phone was likely hacked around May 2018, nearly a year before Facebook and WhatsApp even discovered the issue.
WhatsApp had described the vulnerability or flaw in its system as “a stack-based buffer overflow”, which could “triggered” by “sending a specially crafted MP4 file to a WhatsApp user.” This kind of attack could allow for a remote attacker to take complete control of a system, and steal and access all data on the device. This is exactly what ended up happening on Bezos’ phone.
The problem was further compounded by the fact that the user did not have to carry out any action in order for the spyware or malicious file to take control of the system. Just sending a malicious MP4 file was enough. Even if the user did not click on the link, it could eventually take over the user’s system.
WhatsApp had asked users to update their apps in order to be on the latest versions, and avoid being impacted by the flaw. The company has also said at the time that it did not think any users were impacted by the issue, meaning their phones were not compromised because of the flaw. The new Bezos revelations confirm that this was not the case.
WhatsApp flaw on video/voice call
In addition to the MP4 file flaw, another bug on WhatsApp was used to deploy Pegasus and carry out unlawful surveillance. The issue was actually reported in May 2019, though the full scale only became evident in October 2019, when WhatsApp began informing users who were impacted by this campaign.
With Pegasus, the key is that it is licensed only to governments or law enforcement agencies and not some software that anyone can buy, given there is also an exorbitant cost attached to it. In this case, the spyware exploited a flaw in voice and video protocol of WhatsApp to eventually take over the victim’s phone.
A missed voice or video call made to the victim’s WhatsApp number was enough and Pegasus would get deployed. Once installed the phone, it has complete control over the device and could be used to track and steal all data from phone calls, messages. It could even be used to remotely turn on the camera or microphone and spy on the user.
WhatsApp had initially said that the attack had targeted a “select number” of users. The lawsuit against NSO Group revealed that nearly 1400 mobile phones and devices were targeted. The surveillance was carried out “between in and around April 2019 and May 2019” on users in 20 countries across four continents.
India was also one of the countries where Pegasus was deployed and used to spy on journalists and human rights activists. The Indian Express had first reported that close to two dozen academics, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones were under the high tech surveillance for nearly two weeks until May 2019.
Is WhatsApp still safe for you?
Given WhatsApp has over 2 billion users across the world and nearly 400 million of those are in India, the concerns about its safety are legitimate. The hacking of Bezos obviously raises a lot of uncomfortable questions about the platform as well. Keep in mind though that the popularity of WhatsApp also makes it an easy and popular target.
The voice/video call flaw used to exploit WhatsApp was a zero-day vulnerability, meaning even the company did not know the flaw existed, though it pushed out the patch to fix this once it discovered about the problem.
These are often found in software, and really there’s no way to protect yourself until the developer or the company are alerted about the flaw and fixes it for all users.
The MP4 video file issue it seems was ‘discovered internally’ by Facebook and WhatsApp teams. Clearly outside hackers also knew about the problem, and had managed to exploit it nearly a year before the company even fixed issue.
Regarding the safety, all software is vulnerable to being hacked, considering cyber security experts and hackers are constantly trying to find flaws that they can exploit. And this applies to Apple’s iOS or Google’s Android or Microsoft’s Windows as well. For users, the only assurance when it comes to such flaws is that they should stay on top of updates as they are rolled out to avoid their systems or devices getting compromised.
© IE Online Media Services Pvt Ltd