Donate
WhatsApp: How a Bug Relates to the G7 Thumbnail
‹ Back
Building Trust 14 May 2019

WhatsApp: How a Bug Relates to the G7

Olaf Kolkman
By Olaf KolkmanChief Internet Technology Officer

On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.

Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references  below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.

Two observations:

  • Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
    • WhatsApp is a valuable target, if bugs exist they will be found and exploited.
    • A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
  • The use of spyware like this cannot be contained, a Financial Times article suggests that clearly: The NSO software has been used against lawyers engaged in a lawsuit against the NSO Group and against various civil rights groups.

Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk. When bugs like this are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties. Whilst arguably speculative, one cannot be certain that the NSO Group was the only entity with knowledge of the vulnerability.

This example clearly makes the case that exploits of unintentional bugs are undermining the security of over a billion WhatsApp users, and that they pose a risk to national security and personal safety. One can only imagine what the effect of the introduction of intentional vulnerabilities could be, which is what recent lawful access methodologies proposed so far are doing.

As the Digital Ministers of the G7 countries prepare to meet tomorrow, this serves a real world example of one of the reasons why the Internet Society calls for strong and secure communication, and takes exception to lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it.

It is a critical time to stand for strong and secure communications.  If you are on social media, use the #G7 hashtag and join us by asking world leaders to support strong and secure encryption for all.

References

There are two Financial Times articles that did early reporting on this: https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5 and https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab (paywalled) and various other outlets picked up the news too.

Encryption is under threat around the world. It’s up to each of us to take action.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Responsible Disclosure from a Collaborative Security Perspective
Responsible Disclosure from a Collaborative Security Perspective
Building Trust1 February 2017

Responsible Disclosure from a Collaborative Security Perspective

I recently wrote about an agenda to mitigate the threats of insecure devices on the Internet of Things. One of...

Trust isn't easy: Drawing an agenda from Friday's DDoS Attack and the Internet of Things
Trust isn't easy: Drawing an agenda from Friday's DDoS Attack and the Internet of Things
Improving Technical Security24 October 2016

Trust isn’t easy: Drawing an agenda from Friday’s DDoS Attack and the Internet of Things

Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of...

Fixing Heartbleed - It's The Culture, Not Just The Technology
Fixing Heartbleed - It's The Culture, Not Just The Technology
Building Trust14 April 2014

Fixing Heartbleed – It's The Culture, Not Just The Technology

In the aftermath of discovering the Heartbleed bug, now it is useful to look at the bigger picture of security...

Join the conversation with Internet Society members around the world