From the magazine: WhatsApp breach exposes risks in zero-day bugs
Zero-day bugs exploit vulnerabilities before they are patched
On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its WhatsApp messaging app, exploiting a zero-day vulnerability that allowed hackers to install spyware just by calling a victim’s phone, even if the call was not answered.
That was just the highlight of a very busy month in the cyber warfare sphere.
Another of Facebook subsidiaries, Instagram, had almost 50 million user identities leaked online, including emails and phone numbers of high-profile influencers in the same month.
Sydney-based start-up Canva also suffered a major breach in which details of more than 139 million users were taken.
May also marked one year since GDPR came into force. According to the EU ICO (Information Commissioner’s Office), more than 14,000 data breaches were logged in the first year since the introduction of the GDPR, which is almost four times the number reported in 2017/18.
The WhatsApp hack was the result of targeted malware, and it has been claimed that a nation-state was targeting a small number of political activists.
A victim’s device in such a case would act very differently than a non-infected device, and while no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information, observes Carl Leonard, principal security analyst, Forcepoint.
“Rather than using a threat-based approach (where security professionals block individual threats, one by one) using a behaviour-based approach can pay dividends. By analysing the normal behaviour of a device, or in enterprise terms, any entity on a system, security professionals can act on the anomalies and stop even the most sophisticated attack quickly,” Leonard said.
A zero-day bug was to blame for the WhatsApp breach. Zero-day bugs happen when attackers find a vulnerability before the company can patch it. They are also a normal part of software development cycle.
Despite best efforts, bugs in software exist, observes Olaf Kolkman, chief internet technology officer at the Internet Society, adding that if critical bugs in global communication systems are found they can have a global impact.
Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk, warned Kolkman. “When bugs like these are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties.”
This breach illustrates how the exploit of unintentional bugs can undermine the security of hundreds of millions of users, and that they pose a risk to national security and personal safety, Kolkman said.
“The Internet Society calls for strong and secure communication, and takes exception to (even) lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it,” said Kolkman.