WhatsApp on an iPhone
Published 15 May 2019

A vulnerability in the hugely popular messaging app WhatsApp has been found and exploited by threat actors. The attack vector is a voice call. The victim doesn't even need to answer the call. How can that possibly work? 

WhatsApp Hacked Using a Voice Call

A WhatsApp voice call uses a protocol called Voice Over Internet Protocol (VOIP) to connect the participants of the call. When the call rings at the target handset a collection of pieces of information (called a header) is sent to that copy of WhatsApp so that it can notify the user that they have an incoming call. WhatsApp will use the information from the VOIP header in different ways. For example, it will take the phone number of the incoming caller and try to match it with the entries in the contact address book. It'll then be able to say "Dave is calling". If it can't find any matches it'll only be able to display the phone number.

WhatsApp understands and adheres to the VOIP protocol, and expects data to be provided according to the rules of that protocol. That's why there are protocols. They define the rules that software must obey in order to interwork with other software. WhatsApp has a handler for VOIP headers, and routines that extract the data from the header. The header data is used and retained until it is no longer required. But WhatsApp had a defect in the programming its VOIP header handler.

The Old Buffer Overflow Trick

WhatsApp didn't check whether the data sent to it in the VOIP header would fit into the areas of memory reserved for holding that data. An intentionally malformed header would cause WhatsApp to try to put more data into one of these memory areas than it could hold. The data would overrun the memory location and affect the contents of memory adjacent to it. The clever part is the data that is going to overflow will contain binary values that, when they overflow into the adjacent memory locations, make up valid looking computer code that gets executed as though it were an integral part of the WhatsApp program. 

The flaw in the WhatsApp program was that it blindly took the data out of the header. It didn't check that the data would fit into the reserved memory, nor did it check whether that memory was becoming full. It just kept accepting data and trying to store it. You can't fit a quart into a pint pot.

This is called a buffer overflow attack. It is an attack technique as old as the hills. The novel part is using the header of a VOIP call to deliver the overflow data, but the buffer overflow as an exploit is, in computing terms, ancient. So it is very disheartening to find it in an application in 2019 that is used by approximately one and a half billion people around the world.

Facebook own WhatsApp. They hurriedly released a patch to close the vulnerability, which has been christened CVE-2019-3568. The WhatsApp updates have already been pushed out to many phones. If your phone hasn't received an update to WhatsApp, force it to manually update (see below).

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets (Secure Real-time Transport Control Protocol packets) sent to a target phone number,” said Facebook in an amazingly terse announcement on Monday 13th May.

The Patched (Safe) Versions of WhatsApp

The patched versions of WhatsApp are:

Android 
WhatsApp v2.19.134 onwards
WhatsApp Business for Android v2.19.44 onwards

iOS 
WhatsApp for iOS v2.19.51 onwards
WhatsApp Business for iOS v2.19.51 onwards

Windows Phone
WhatsApp for Windows Phone v2.18.348 onwards

Tizen
WhatsApp for Tizen v2.18.15 onwards

To be safe, you need to be on a version of WhatsApp that is in this list, or on one with a higher version number.

Who Were The Targets?

WhatsApp has end to end encryption for its chats and voice calls, originally developed by a secure messaging app company called Signal. (That's the messaging app we should all be using actually, but it's too late to turn the herd now, I suspect.) So putting spyware into the end point is the only practical way to get around the encryption: monitor what you want once it has arrived at the end point instead of trying to capture and decode the encrypted traffic.

Although this vulnerability was wide-spread throughout the entire WhatsApp installed base, the use of the exploit seems to have been targeted at very few individuals and organisations. Worryingly, these include humans right lawyers and advocates, and Citizen Lab. Citizen Lab are a Canadian not-for-profit that try to monitor the development and spread of spyware. No coincidence there, then.

Attribution has not definitively concluded, but many similarities between the malicious code and products that have been developed by the NSO Group, an Israeli cyber intelligence company have been commented upon. The NSO Group develop software for counter-cyber terrorism. Only organisations like government intelligence agencies and law enforcement agencies can purchase their products. 

The NSO Group have denied using their software to perform this attack (but have not denied writing the software) and of course they won't comment on their customers' use of their software suite (called Pegasus). 

Am I Safe?

In WhatsApp go to the menu, select Settings > Help > App Info. You should see the version of WhatsApp you are using.

If your version number is lower than the applicable one in the list above, manually upgrade.