YOU’VE HEARD THE advice a million times. Don’t click links in suspicious emails or texts. Don’t download shady apps. But a new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn’t need to pick up to be infected, and the calls often left no trace on the phone’s log. But how would a hack like that even work in the first place?
WhatsApp, which offers encrypted messaging by default to its 1.5 billion users worldwide, discovered the vulnerability in early May and released a patch for it on Monday. The Facebook-owned company told the FT that it contacted a number of human rights groups about the issue and that exploitation of this vulnerability bears “all the hallmarks of a private company known to work with governments to deliver spyware.” In a statement, NSO Group denied any involvement in selecting or targeting victims but not its role in the creation of the hack itself.
So-called zero-day bugs, in which attackers find a vulnerability before the company can patch it, happen on every platform. It’s part and parcel of software development; the trick is to close those security gaps as quickly as possible. Still, a hack that requires nothing but an incoming phone call seems uniquely challenging—if not impossible—to defend against.
WhatsApp wouldn’t elaborate to WIRED about how it discovered the bug or give specifics on how it works, but the company says it is doing infrastructure upgrades in addition to pushing a patch to ensure that customers can’t be targeted with other phone-call bugs.
“Remote-exploitable bugs can exist in any application that receives data from untrusted sources,” says Karsten Nohl, chief scientist at the German firm Security Research Labs. That includes WhatsApp calls, which use the voice-over-internet protocol to connect users. VoIP applications have to acknowledge incoming calls and notify you about them, even if you don’t pick up. “The more complex the data parsing, the more room for error,” Nohl says. “In the case of WhatsApp, the protocol for establishing a connection is rather complex, so there is definitely room for exploitable bugs that can be triggered without the other end picking up the call.”
VoIP calling services have been around for so long that you’d think any kinks in the basic call connection protocols would be worked out by now. But in practice, every service’s implementation is a little bit different. Nohl points out that things get even trickier when you are offering end-to-end encrypted calling, as WhatsApp famously does. While WhatsApp bases its end-to-end encryption on the Signal Protocol, its VoIP calling functionally likely also includes other proprietary code as well. Signal says that its service is not vulnerable to this calling attack.
According to Facebook’s security advisory, the WhatsApp vulnerability stemmed from an extremely common type of bug known as a buffer overflow. Apps have a sort of holding pen, called a buffer, to stash extra data. A popular class of attacks strategically overburdens that buffer so the data “overflows” into other parts of the memory. This can cause crashes or, in some cases, give attackers a foothold to gain more and more control. That’s what happened with WhatsApp. The hack exploits the fact that in a VoIP call the system has to be primed for a range of possible inputs from the user: pick up, decline the call, and so on.
“This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days,” says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. “Security never was WhatsApp’s primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities.”
The WhatsApp bug was being exploited to target only a small number of high-profile activists and political dissidents, so most people won’t have been affected by any of this in practice. But you should still download the patch on your Android and iOS devices.
“Companies like NSO Group try to keep a little stockpile of things that can be used to get onto devices,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “This incident makes it abundantly clear that anyone with a phone is impacted by the kind of vulnerabilities that customers of these companies are slinging around. There’s a reality here for all of us.”