WhatsApp security failures led to widespread political spying: “spouse, key staff members, and close associates”

There’s a buried lede in the recent CitizenLab report about Catalans targeted by Spanish government spyware: an overly broad dragnet model.

In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world…. […] The spouse, key staff members, and close associates of Carles Puigdemont (MEP, JUNTS) were all targeted…. We count up to eleven individuals that fit this category. For example, Marcela Topor, his spouse, was infected at least twice (on or around October 7, 2019 and July 4, 2020).

This reminds me of news from 50 years ago.

…Gallagher’s concerns were being aired just as FBI wiretaps and bugs targeting Martin Luther King were believed to have violated the privacy rights of over 6,000 people by 1968.

In addition to spying to everyone around a person of interest, the method used by Spain is technically interesting because software patching usually diminishes with degrees of separation from a target.

Does everyone in your circle of family and friends update regularly? They should.

The WhatsApp CVE-2019-3568 cited above was a particularly critical buffer overflow — rated by some as CVSS 9.8 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It led to unauthenticated remote access.

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

It was just one out of seven overflow vulnerabilities disclosed by WhatsApp that year alone!

What do I mean by update regularly? This official vulnerability notice for WhatsApp was published 14 May 2019. I tried my best to warn at that time

Facebook’s “secure” messaging app has been found vulnerable to compromise by a simple call.

That makes timing of the above October 2019 and July 2020 infections even more noteworthy because exploits happened many months late.

Could a simple patch within a month of notice (customary turnaround given the CVSS 9.8 rating) blocked the attacks on a politician’s spouse? And more importantly perhaps would a politician’s spouse have updated quickly?

It seems WhatsApp security marketing and promotion gave everyone a false sense of confidence.

In other words, here’s the real twist to this otherwise routine story, which should be reported far more widely. On April 11, 2019 a disgraced and fired former CSO of Facebook went on tour to promote WhatsApp as “the most privacy enhancing” product of all time.

Source: Twitter

And here’s a pro-tip about encryption: It doesn’t do anything to protect privacy when its application opens up a giant vulnerability giving open access to the system it runs on. Facebook (e.g. WhatsApp) thus may be recorded as the most privacy-destroying software in history because of its deceptive claims about safety.

Their ex-CSO could have been warning about the litany of security vulnerabilities in software that makes it an inherently untrustworthy communication channel, requiring careful management and maintenance — WhatsApp being no exception. That’s normal security professional advice (again, as I warned in May 2019).

Instead it seems overconfidence and bluster went unchallenged until far too late, a story all too familiar for those who know what’s going on behind the scenes in Silicon Valley.

For nearly a decade now and certainly since 2015 I’ve warned Spanish-speaking officials (among others) to ignore encryption puffery — not to trust WhatsApp for communication.

Given these technical details the political part of the story that seems to get lost in the news is that Facebook has strong ties with Russia, Catalan separatists had strong ties with Russia, and so… Catalans using Facebook were spied on by Western intelligence because Facebook (like Russia) is so awful at real security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.