On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.
Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.
- Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
- WhatsApp is a valuable target, if bugs exist they will be found and exploited.
- A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
- The use of spyware like this cannot be contained, a Financial Times article suggests that clearly: The NSO software has been used against lawyers engaged in a lawsuit against the NSO Group and against various civil rights groups.
Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk. When bugs like this are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties. Whilst arguably speculative, one cannot be certain that the NSO Group was the only entity with knowledge of the vulnerability.
This example clearly makes the case that exploits of unintentional bugs are undermining the security of over a billion WhatsApp users, and that they pose a risk to national security and personal safety. One can only imagine what the effect of the introduction of intentional vulnerabilities could be, which is what recent lawful access methodologies proposed so far are doing.
As the Digital Ministers of the G7 countries prepare to meet tomorrow, this serves a real world example of one of the reasons why the Internet Society calls for strong and secure communication, and takes exception to lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it.
It is a critical time to stand for strong and secure communications. If you are on social media, use the #G7 hashtag and join us by asking world leaders to support strong and secure encryption for all.
There are two Financial Times articles that did early reporting on this: https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5 and https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab (paywalled) and various other outlets picked up the news too.
Encryption is under threat around the world. It’s up to each of us to take action.