Google's Project Zero team investigated WhatsApp's and Facetime's video conferencing last year:
"Overall, WhatsApp signalling seemed like a promising attack surface, but we did not find any vulnerabilities in it. There were two areas where we were able to extend the attack surface beyond what is used in the basic call flow. First, it was possible to send signalling messages that should only be sent after a call is answered before the call is answered, and they were processed by the receiving device. Second, it was possible for a peer to send voip_options JSON to another device. WhatsApp could reduce the attack surface of signalling by removing these capabilities."
"Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three CVEs in FaceTime based on this work."
In both cases, the close source nature of the applications stymied their efforts.
Why do you say that? In the WhatsApp case, they were able to repeatedly modify the code and also yank it out and run it in their own controlled environment, etc.
The post says "the close[d] source nature of the applications stymied their efforts" not "finding security bugs is harder than not-finding security bugs". I didn't read anything in the linked post that supports the former statement, the latter one (or variants) seems obvious.
Yeah, there's a cottage industry of security firms who sell exploits to the U.S. government directly or indirectly through big defense contractors. Many, and I personally have assumed _most_ (but without checking), are American firms.
And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.
Curious as to why you think it's a bubble. Israeli startups have had many successful exits in recent years, although mostly acquisitions, and not many big flops.
It's just my unsubstantial opinion. Too many players raising too much money in a consolidated market. Bar some notable exceptions (NSO), this herd of misguided lemmings has one way out - acquisition by Checkpoint/Imperva/SalesForce.
But maybe I'm wrong and we'll see 100 Mobileyes in the coming decade.
Wow! I had no idea there was a whole industry selling spyware to dictatorships. Surveillance equipment, yes, but not actual hacking tools. Really sickening. Must be why governments in Europe are so afraid of Huawei building 5G networks - they will only run Chinese spyware.
Huawei's equipment will almost assuredly run anyone's spyware. Huawei uses a medley of ancient, highly vulnerable OpenSSL libraries sprinkled through their basestation code, and apparently they've forgone any kind of version control to ensure an optimally confusing work environment for their development teams: https://hmgstrategy.com/resource-center/articles/2019/04/04/...
Frankly, these products are likely unmaintainable long term without a total refactoring of the codebase, nevermind the abject lack of security.
The trick with these vendors is the codebase will never see serious improvement, as these basestations aren't going to be sold for the next decade, so Huawei will do the bare minimum and shelve support in short order.
Huawei's software development practices seem quite horrifying. Critical systems like these ideally would be written in specially-designed programming languages that support mathematically proving correctness (Coq comes to mind). There's probably still room in the programming language design field to create new languages that are user-friendly but also integrate Coq-like systems plus other verifiability and correctness techniques into the language itself.
Or Juniper's constant flow of new CVEs, they are a popular alternative to Cisco that many ISPs use heavily :P
Network security is piss poor, most of these vendors add vulnerabilties atop secure distros (OpenWRT, Debian, etc) and flog it as the best thing since sliced bread.
It's not that much different from mercenary outfits like The Company Formerly Known As Blackwater. They offer services to all sorts of unsavory regimes. Hackers for hire are just another iteration on the idea.
No, it is very much dissimilar. Security personnel who work for Blackwater make a conscious decision to do so and are flown overseas to physically enact Blackwater's business decisions. Many (maybe most?) of the people who sell vulnerabilities and (to a lesser extent) exploitation tools to spyware firms are selling through brokers, and aren't directly connected to the ultimate end purpose of their work.
You can say that people who sell vulnerabilities to unaffiliated-seeming, neutral-seeming, innocuous-seeming brokers ought to know better where their work is going to end up, and I suppose that's true, but it's still not the same dynamic as exists with Blackwater.
Normally I agree with you on almost everything in this realm, since, well, it's your field of expertise.
But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.
If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.
Those people actually work for Blackwater. People who sell vulnerabilities by and large have only a vague idea of their customers. Many exploit developers would, for instance, draw a line between enablement of FVEY national SIGINT and shady spyware shops like NSO, and can rationalize that it's the good guys who are getting their bugs.
I'm not saying that makes it OK (I think the opposite thing, in fact, though I feel like I always need to add the disclaimer that the kinds of bugs that have commercial/operational relevance aren't the kind I develop). I'm saying that the dynamics are different than they are with Blackwater.
This kind of story in particular sure reads like digital mercenaries to me. It's not quite the same as what Hacking Group does! But a shady corporation hired former NSA hackers and partnered closely with the UAE to the point that the hackers themselves get cold feet because they learn exactly what their consulting was being used for.
I don't know enough about Hacking Group to know how closely they work with the people they sell to.
It wouldn't even matter if Huawei doesn’t and has never used their position in infrastructure to conduct spying or surveillance. The very fact that they’re entirely reliant on the Chinese government makes them (and any of their employees on an individual level) vulnerable to Chinese policy needs, now or in the future.
I don't quite understand the Huawei analogy. NSO isn't partnering with Israeli companies to preinstall malware on their stuff. So I don't see how this is an indication that a Chinese version of NSO will partner with Huawei to preinstall malware on Huawei stuff. If NSO can hack American software, then Chinese NSO can hack American software too.
The Israeli military-industrial ELINT industry and C4I people sell stuff to all sorts of authoritarian regimes. Even the ones that the US and UK won't touch.
Based on the Phalcon affair I don't think Israel exports to anyone the US didn't want them to have it, the last time they tried it basically toppled an Israeli government.
I guess these types of vulnerabilities could be placed intentionally. It would allow certain agencies to again access via "exploit" and all the while claim they support user privacy. These companies are under pressure from governments (like the recent Australian government law to requiring access to encrypted messages). Seems like a decent solution for company and governments.
The industry calls this a "bug-door" and yes, plausible deniability is key. Most of this has been hypothetical possibility. This case does not fit that bill though as the vendor discovered it was being used by another country, prevented the exploit against a user, fixed it, and alerted the authorities. Would be more peculiar if it was a US-based company selling the spyware.
The update can be analyzed to see what was changed, even if we only have the binary executable. If we know that an app contains intentional bugs, just looking at where the update made changes could eliminate a lot of looking & find the bugs even faster! There are many automated tools that can do this too, eg. Fuzzing. The updates can also hint us where the previous bug was and what to look out for in the future.
So, nope. Introducing security bugs and backdoors just makes it insecure for everyone.
Oh, so you are reverse engineering and thoroughly analyzing every WhatsApp update? That's reassuring. Cause otherwise I'd have said nobody does this on a regular basis which would mean it still is a viable method.
So yes, I'm pretty sure that there are various teams, including white-hats such as Google, black-hats, nation-states such as China / Russia, analyzing each and every update.
There was also an interesting article on hackernews a while back demonstrating the technique, there are some nice tools for this. Sorry, can't find the link now.
There's also the curiously peculiar, and consistent, wording from companies that deny their involvement in programs such as PRISM [1]. As people seem to have forgotten about PRISM, NSA slides not meant for public consumption stated it enabled "extensive, in-depth surveillance on live communications and stored information" with examples including email, video and voice chat, videos, photos, voice-over-IP chats (such as Skype), file transfers, and social networking details.
But here's the fun part. Here are the corporate denials:
- Google: "We have not joined any program that would give the U.S. government direct access to our servers."
- Apple: "We do not provide any government agency with direct access to our servers."
- Facebook: "We do not provide any government organization with direct access to Facebook servers."
And so on. An exploit with plausible deniability enables these companies to make these comments completely truthfully, and at least mostly truthfully if they claim they are not providing a backdoor. But more to the point, there is absolutely no reason these companies would all say "direct access" as that's very specifically a subset of "access." If you do not facilitate direct or indirect access, why would you not simply say access? If this were a one-off thing, that'd be one thing since on occasion some PR is... odd. But literally all the companies were saying the exact same very peculiar thing. That's not a coincidence.
It seems to me that if this is possible an OS software upgrade of some sort is urgently required, in addition to possible updates of WhatsApp. How come there isn’t coverage of this as Android and iOS vulnerabilities?
Gaining control of WhatsApp gains access to any API accessible to WhatsApp. Incompetent reporting may be at fault.
On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does so on iOS as well. Once granted, the app has access to any data available through access-allowed APIs.
App code goes through an audit process to ensure that the app isn’t using accessible APIs inappropriately, and doesn’t permit unapproved code execution.
This vulnerability allows an attacker to execute unapproved code in the WhatsApp context. Any API that iOS or Android offer WhatsApp under normal circumstances is now attacker-controlled.
The two questions unanswered by the press to date are simple. On iOS and on Android, can the attacker’s code be terminated by force-quitting and uninstalling WhatsApp?
Either the attack is persistent only because it sets up shop inside the app, which may have OS-granted background and/or screen-off execution rights, and thus can be terminated simply by quitting and removing the app — or, the attack gains persistence beyond the confines of the app.
Media reports are unclear on this point. If the OS offers apps endpoints that an app executing attacker-controlled code can use to infect the OS with persistent attack code that executes outside the app’s boundaries and remains after app uninstallation, then that’s absolutely a flaw in the design of the OS. As you say, “Android and iOS vulnerabilities”.
Very interested to know what this means in practice, particularly for iOS.
AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc
Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?
How could the API's whatsapp does have access to be abused?
The app is infected, calls a 0-day using an illegal parameter that’s normally rejected by app store filters, and gains a permanent beachhead in your Android system services list.
> access photos in the background
Unclear. Apps can show thumbnail galleries of your photos within their native UI, so it may well be possible for them to continue directly to reading photos.
> access the camera in the background
Unclear. Does FaceTime continue transmitting video when the phone screen is turned off? Is it possible to capture stills or video when the screen is off on a jailbroken phone?
> or spy on the user in a broader way
Android WhatsApp seeks permission to read your SMSes, so that would be almost certainly correct as well there.
There's no possible way to read SMS messages programatically in iOS for example, the closest you get is reading one time passwords sent, and you can only do that when the user has the keyboard open when the SMS is received.
I know Android is slightly more lax in this (and some other) regards. I wonder if Android whatsapp users targeted by this exploit have had more data exposed than iOS users targeted by the same exploit?
Or there should simply not be background access to certain APIs, such as camera, video, and photo library.
Background audio access on iOS presents a bright red indicator on all non-app screens that can neither be hidden nor removed, as it’s baked into the OS. iOS may require a separate permission dialog for “capture video with sound” and “record sound with/out screen on”, I don’t know. I doubt Android bothers to do any of this.
CVE-2019-3568 suggests this was a buffer overflow. I'd like to understand why this was implemented in native code - Android seems to have an `android.net.rtp` package?
Is this simply for performance, or to enable code-sharing across Android and iOS? Is there anything about WhatsApp's use-case that would prevent an implementation using managed code?
Also, what exploitation mitigations are broken on Android/iOS such that a buffer overflow is reliably exploitable? Are their implementations of ASLR useless? Is it trivially bypassed? Is mandatory code-signing not enabled/enforced?
All very good questions, hopefully we can get some more information as time progresses (maybe a PoC, or at least a technical write-up on the specifics)
I suspect we'll never know for sure, but we can guess. ~73% of users apparently use Android to access WhatsApp [1]. As of the start of 2018, WhatsApp had 1.3 billion monthly users [2].
Less than 0.3% of Android users globally use an incompatible API level. If we assume this applies equally to the WhatsApp userbase (and old-Android users are represented with the same proportion in the active monthly users figure) and use 0.3%, we have 2.8 million potentially impacted users. At the current rate of about 1M new users per day, it'd take two or three days for this small slice of the userbase to be replaced.
It would've been losing 0.0219% of their userbase to avoid an RCE that impacted 100%. Now, how much revenue did those users bring in? And how much has this announcement damaged facebook's share price?
All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.
Before someone says something about government surveillance of fiber cables. Yes, that is also bad, but exploiting vulnerabilities to install spyware on peoples phones... It crosses yet another line that shouldn't ever be crossed.
All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers. But apparently also by Israeli developers with their government's blessing and open endorsement. That's some very shady stuff.
Gamma Group is an Anglo-German company that provides similar surveillance software with government blessing and endorsement. Hacking Team (Italian company) sells similar surveillance software to various European governments. Before an embarrassing data breach in 2015 they also used to sell surveillance software to various totalitarian regimes outside Europe.
If i remember correctly, the Italian government at the time made some noise - they weren’t happy to find there was no exclusivity in the relationship, so to speak. They kinda threatened to cut their contracts. To be honest I don’t know how it ended, it fell off the news in Italy too and that was it. Behind the façade of barely-organised anarchy, Italy is an instinctively authoritarian country and blunt instruments are considered fair game more often than not.
There was Stuxnet, which was almost certainly a joint US/Israeli operation (likely other minor players involved), and plenty of other programs we never hear about.
>All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.
You've led a very sheltered life if you think the Russians and the Chinese have been more evil than the Americans or the Israelis. I suggest reading history - a lot of it. When it comes to governments there are no good guys, only bad guys.
I’ve read a lot of history. Your last statement is kind of fair. Your first statement is not. (Does eg US imperialism make Roosevelt no better than Hitler? Of course not.)
The Russians and Chinese are doing many things worse than what the US does: Ukraine, the Uighurs.... Both are far less bound by the rule of law. Neither have any serious form of democracy.
False equivalence is a specious but dangerous form of reasoning.
The US has killed millions of people in the last 15 years alone in Iraq, Afghanistan, Libya, Syria, Yemen and a dozen other countries that we have bombed or invaded (including the 8 we are bombing right now). I'm under no illusions about the many despicable things done by the Russians and the Chinese, but its simply absurd to contend that their behavior has any worse than the United States. We have more of our citizens locked in cages than Russia and China combined. We have toppled more governments and invaded more countries than Russia and China combined by a factor of 10 (or more) since the end of World War II. Its astounding how willfully blind people can be when it comes to their own government. We can't become the good guys until people wake up and acknowledge that there haven't been any good guys.
The US has not killed millions of people in the last 15 years that is just a blatantly false statement. A quick search on Google or Wikipedia will refute your claim instantly.
Can you provide a decent source for your millions of casualties claim or for you claim about the US toppling more Governments than Russia/China? I bet you can’t.
Judging by your username I believe you know some things about history. Why spread false info?
Washington DC-based Physicians for Social Responsibility (PRS) released a landmark study concluding that the death toll from 10 years of the “War on Terror” since the 9/11 attacks is at least 1.3 million, and could be as high as 2 million.
> We have toppled more governments and invaded more countries than Russia and China combined by a factor of 10 (or more)
Russia/Soviet Union is roughly on par with the US on the invasion/occupation/regime change count -- of course they did it mostly in eastern Europe, the Caucasus and the MENA region rather than in Latin America.
Roosevelt personally? No. America as a whole? Yes, comparisons can absolutely be made between America's and Hitler's genocidal philosophies, as the former influenced the latter[1].
> Before someone says something about government surveillance of fiber cables.
Anything that goes unencrypted over the internet is (a) public and (b) liable to be changed by anyone on transit. It's like a travelling wikipedia article.
Hmm, I don’t want to get into a state wickedness bidding war, but the US/Israel are democracies where you are unlikely to be eg locked up without a fair trial. Contrast with the fate of the Uighurs.
In foreign policy it’s more balanced (supporting Syria vs Saudi Arabia) but even there, Russia is clearly trying to subvert foreign democracies. China is (perhaps reasonably) pushing for more power in Asia. And while the US support for human rights is patchy, China’s is non-existent.
A close friend of mine was held in custody in the US based on false accusations by a police officer.
The police officer later admitted the false accusations to the judge, that he just wanted to "scare him a bit". The judge nodded, proceeded to aquit him of all offenses exept the speeding ticket which he deserved, and off he went.
Which democracies is Russia trying to subvert in ways the US isn't? You could argue that Russia is supporting nationalist movements in most of Europe, but there are very similar efforts from the US.
For example, in my own country, Romania, US religious groups stoked local religious groups to initiate a referendum to change of our constitution to ban gay marriage (they actually made it through all the steps and the referendum was held, but so few people showed up to vote that it fell through). Would this count? It was done through false news and propaganda (and probably some minor corruption, but that's just par for the course), but otherwise through legal means - same as all modern Russian influence in Europe that I've heard of.
Let's not forget that the US has explicitly assassinated its own citizens for 'suspicion of terrorism' as well, though they're at least not assassinating their own citizens on their own territory, and not in the kind of huge numbers that Russia and China are.
Grand total, you are talking about a couple thousand people over half a century.
China does worse in a month in Xinjiang. The excesses of western nations stand out like a sore asshole so badly because they are such exceptions to the general rule of law they experience.
To be fair it's not just about the software but about the country too. We know know China's policy on censoring the web. Russia is not the sort of place that tolerates activism against Putin. So when you combine this with hacking people's phones it does make it much worse.
>All my life I've thought spyware was developed primarily by evil Russian and Chinese hackers.
Yep, manufacturing of consent at play.
But this aside, I have a friend who worked in Israeli company whose main business was to sell phone exploits and customer data by using the still very insecure SS7. Basically they were registered as voip operator, but according to my friend that was only a cover, and the real business was selling surveillance data they were gathering via SS7.
Hey Zaro. The author of the FT article would love to have a chat with you and maybe get a quote for a follow-up article. His email is: mehul.srivastava@ft.com
crossing a new line is a way to signal your opponent that you're unafraid of any and all of their potential retaliation. it is a way to tell them that (you think) you dominate them.
They managed to destroy Iranian nuclear centrifuges using a very sophisticated attack. Read up on Stuxnet.
Also, as an Israeli, I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary. The fact that others think that such a thing as "boundaries" exist only serves as an advantage.
> Also, as an Israeli, I can 100% confirm that Israelis have absolutely no issues with crossing any kind of boundary. The fact that others think that such a thing as "boundaries" exist only serves as an advantage.
Maybe as an Israeli you can see the hypocrisy in stating that there are no boundaries when, if it wasn't for a large part of the world deciding that in fact there ARE boundaries that should not be crossed, the Nuremberg trials would never have been held and Israel would not exist at all.
Basically, you’re either dealing with Mossad or not-Mossad.
If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru.
If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.
And:
Threat: The Mossad doing Mossad things with your email account
Solution: Magical amulets? Fake your own death, move into a submarine? YOU’RE STILL GONNA BE MOSSAD’ED UPON
(That's perhaps a little too light-hearted humor, considering the youtube link in the post I'm responding to...)
Fun fact: The mossad ran a job ad on facebook a while ago, which involved a sequence of riddles. First discover a server based on some random seeming sequence of characters on an image. Then you had to solve a number of programming puzzles. I stopped at the third one, because I don't actually want to work there.
Suddenly I’m less impressed in the Mossad. Really they recruit hackers on FB?
If I do a quick samples of people I know, there’s a super high correlation in being a hacker/developer and not using Facebook. Maybe they should try HN instead.
> ...they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.
That's basically Israel's attitude on anything: doing anything they want without any kind of boundaries, then denying brazenly they did it, while doing it again and again. Like having snipers shooting at thousands of civilians, kids, journalists, paramedics, who are protesting inside their own borders.
I'd say it has more to do with the very Jewish concept of chutzpah. According to Wikipedia, the term is used "to describe someone who has overstepped the boundaries of accepted behavior" and "Chutzpah amounts to a total denial of personal responsibility, which renders others speechless and incredulous".
The term used to have a very negative connotation, but interestingly, Google says "usually used approvingly". It seems to fit pretty well the descriptions of the "rudeness" and "boldness" in common Israeli culture.
I'd think the onus should be on you to prove that there were 6000 kid, paramedic and journalist deaths.
I'm not arguing that terrorists/soldiers/murders were killed, you are the one claiming that a reflective vest puts someone above the law.
On top of the 1000s of staged or edited photos/videos coming out of pallywood on a daily basis it's nearly impossible to take anyone making such claims seriously. as they are almost always full of misinformation/lies.
> the onus should be on you to prove that there were 6000 kid, paramedic and journalist deaths
Sorry, maybe I wasn't clear. I didn't mean that all the people shot by snipers (not killed- just shot, usually in the legs and often causing permanent disabilities) were kids or paramedics or journalists. I was questioning your statement that "all ... were shown to be carrying bombs or other explosives". It's quite a categorical statement, and almost certainly wrong.
I would have labeled the article a piece of defeatism disguised as satire, if not for this:
Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, “SCREW IT WE’RE GOING TO THE MOON.” I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim’s hair. If that’s how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological mandibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.
From what I've seen, they're not at all unique. Maybe they're more honest about it, though. And given that they're surrounded by enemies, they must maintain that reputation.
"I'm crazier than you are." has always been the US position re strategic nuclear weaponry.
Interesting to hear about this lack of boundaries among Israelis, is this only for non-Israelis or do you/they cross each others boundaries? Is this a cultural thing, why do you think this the case?
Israelis in general are very blunt and perfectly willing to question superiors and voice opinions and questions in situations where Americans never would. This includes the military where subordinates would question a superior in a way that would never fly in an American military (and probably others).
Israelis on the street will voice opinions to strangers in a way that would be perceived as incredibly rude elsewhere, but is normal in Israel.
> Israelis in general are very blunt and perfectly willing to question superiors and voice opinions and questions in situations where Americans never would. This includes the military where subordinates would question a superior in a way that would never fly in an American military (and probably others).
Well, they claim they are but you don't see anything at least from outside.
From outside it seems they are easily buying whatever government is selling to them. Working on surveillance projects is rather embraced and you even receive strong social support for it.
So I don't get how do you compare it to the US! Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong.
Not to mention many anti-surveillance activists are based in the US. I believe that is a very unfair comparison.
The truth is every country you look people are a bag of goods and bads and they manage to find greedy people to work on surveillance projects even in the EU.
You have this strange assumption that people are supposed to find something wrong with surveillance projects.
> Working on surveillance projects is rather embraced and you even receive strong social support for it.
That's right, because there's nothing wrong with it.
> So I don't get how do you compare it to the US!
Because I'm not comparing surveillance projects, I'm comparing modes of speaking.
> Whereas in the US you would have a hard time to convince people to work on surveillance projects and even then often people end up having a hard time with their moral values even when they are not directly doing anything wrong.
Because it's quite obvious to the ordinary Israeli that surveillance projects save lives, so obviously they would want to work on it.
The US isn't under quite the same level of attack, although it's far from clear there is supposed to be something wrong with it in the US either.
If they think you didn't dress your child properly they'll tell you. Or they'll hear you talking about something and give you advice on what to do without any embarrassment on that fact that they overheard you.
You're fighting with your teen, in the US everyone would turn away and pretend not to hear, in Israel they'll just openly talk to you about their own teen and what they did, etc. and then half the bus would chime in. They're all really nice about it mind you, just trying to help.
Israelis think of everyone as part of their personal family, even strangers are really distant relatives, is I guess a good way to put it.
They're a government that the US recognizes, and that's widely recognized by other governments that the US recognizes. That makes them legitimate. Terrorists by definition do not include legitimate governments. Anyone that doesn't agree is a "terrorist sympathizer".
I don't necessarily agree, but that's just how it is.
And some of us are mad at Google and Apple for selling such insecure-by-design junk. By that I mean that apps are trusted more than (and can't fully be controlled by) device owners.
I don’t think the trust policy has much to do with this. At the end of the day, an app exploit is an app exploit, and if an app can make calls, an app exploit will be able to make calls too. As long as the exploit is not allowed to burrow in the OS proper, it likely wouldn’t be any different on Linux or a BlackPhone.
I guess. But as I understand it, it's much harder to lock down apps on phones than on Linux. Users can't directly control networking, for example. And have zero insight or control over the cell modem. Even doing a real firewalled VPN on smartphones is virtually impossible. And I don't believe that one can do VirtualBox or KVM or whatever virtual hosting on them.
> This is a private company with international investors.
Knowing nothing about the company in question, I'm still certain that most of its founders, investors and employees come from 8200. So, government doesn't need to be formally involved in any way, it's just the same social circles, everybody just knows everyone.
What do you even mean by "international terrorists"? Is it what your government calls "international terrorists"? If so, then by definition they differ from, say, Al-Qaeda by the fact, that they are considered an ally by the USA (well, that, and that they have more resources).
Otherwise, it is your choice, whether you need a distinction like that. I don't see how it might be useful.
As another israeli - certainly a good thing. For a nation in our position, in a deeply hostile region, where a major military defeat is certain to be genocide, doing everything possible for national defence is the only way possible to survive. Stuxnet in particular is something that I'm extremely proud of.
You say this as your country is invading and occupying land that doesn’t belong to them and murdering innocents to drive them out. Yeah, nice way to be proud.
True, but there is a difference between 'my ancestors have done this' and 'some of the taxes I'm paying are going into continuing the occupation; I've voted for the people who are ordering the air strikes'. There's fewer countries where that's true today.
It is the interpretation of all of the international community except for the US and Israel. The UN has repeatedly voted to recognize this, often being blocked by the US. There is no real controversy on this.
I'm well aware of UN position on Israel, I just don't understand how anyone who knows how this organization operates can pretend it represents "international community" or has any moral authority.
So when you say that stating there are no boundaries is a good thing for Israel, would you have held that same view in the 1930's and 1940's when most of Europe was busy trying to resist another organisation that also did not believe in boundaries?
Read the Wikipedia entry on Stuxnet [1] for more details.
> Stuxnet targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a jointly built American/Israeli cyberweapon.
You're talking about a government that has a long track record of assassinating and abducting people in other countries, including Western liberal democracies.
Please don't break the site guidelines by feeding trolls or taking threads further into flamewar. That only makes this place worse.
Instead, flag the comment. Other users did that, which killed the comment and alerted us so we could ban the account. In egregious cases, you can also let us know about it at hn@ycombinator.com.
I'm not sure what can be done nowadays. In the past you would say, format disks and go back to a backup before the threatening event happened. But nowadays all our stuff is in the cloud and you can only go back to the state from 10 minutes ago, and all our disks are flash drives that you can't fully format as an end user. Maybe you can just accept that some virusses will always be there and act accordingly.
Would be nice to have a tool that everyone on the planet could use to run against those backups and find a common source of the infections, along with an idea of when it was found in the wild.
No one has confirmed whether they were able to install anything beyond the confines of the app on iOS. The press are not particularly qualified to evaluate that consideration and have been doing a poor job of blurring what’s unlikely/impossible on iOS with what’s likely/possible on Android.
The secure enclaves on Android smartphones have a poor track record. Even the top-of-the-line manufacturers have seen published hacks of their TEE environments, and those are usually just the tip of the iceberg. Android is incomparable to Apple's platform in this regard. (I'm not trying to argue the iPhone is unhackable, though.)
I still agree that's an issue and I'm wondering if the Titan M chip is going to be a Google exclusive or if it's going to be licensed to other OEM's at some point.
That might be enough for what they are doing. At least it will allow them to spy on whatsapp messages and parts of the system that Whatsapp can access (contacts etc)
What about Wechat? There are lots of seemingly pretty girls trying to voice or video call these days. Either I'm suddenly rich in their eyes or there's something fishy going on.
Name a chat app and I can provide a link or comment from someone saying the same thing about pretty scam girls. Facebook, Whatspp, Gmail, Kik, Snapchat, Instagram, and even BBSes, AOL, IRC etc...
What I saw on FB is automatic replies from bots. What I know from Skype are african boys who try to earn their next beer in an internet cafe by acting they would be a girl. I can confirm it's all not that.
My gut tells me no. Signal switched over to using the Signal Protocol for call signaling. It had used a few different signaling standards over the years (when it used to be called Redphone).
However, it's impossible to really know for sure as the server component for calls is a proprietary black box.
Agreed. It seems more plausible that the "injected code" would be limited to (1) the WhatsApp app, and (2) the infrastructure outside of the Signal Protocol implementation. If true, this still poses a problem to comms/calls secured end-to-end with the Signal Protocol impl - because once decrypted on the client, the rest of the WhatsApp may be compromised and able to exfil comms.
I will be surprised, if this vuln allows the attacker control outside of the WhatsApp app sandbox to other parts of iOS.
(I will be less surprised if the above is possible in Android)
> However, it's impossible to really know for sure as the server component for calls is a proprietary black box.
I thought that changed after migrating to WebRTC? Although I haven't tried to spin up my own Signal server, modify the APK and see what works and doesn't work.
Apple won't let you change a changelog after the binary is built and put on the store. So if you want to get a fix out, but not alert people that you're on to them, you have to put out a changelog that just says something like "Bugfixes". Then you have to build another build and submit another changelog, but Apple probably won't let you issue builds that are duplicates...
Spooky. I just travelled to Israel and this evening, at around 3 AM, iOS notified me that WhatsApp had been accessing my location in the background, which I had never seen before except when sharing my location with a friend.
Updated WhatsApp on my iphone just now. The version I got was 2.19.50. According to the CVE it's still vulnerable. Unable to get 2.19.51 which is the first fixed version. Is this just me? Or is everyone else updating to a still-vulnerable version?
You need to go to the app store app, then the updates tab and pull down to refresh(yes, the updates tab, not WhatsApp listing in the store). When you do that, you'll see the newest version becomes available for update. This happens whenever an update is set to phased release and hasn't reached 100% yet.
The news outlets are all telling us to update, but until WhatsApp/Apple get their act together, there's no point. Worse still, people won't realise they need to do it again and will remain vulnerable indefinitely.
The problem is iOS AppStore.
If you update via the "Updates" tab, you don't get the latest version.
But if you search for WhatsApp as if installing it for the first time, then you get the new version.
Isn’t every article about this saying it persists, without saying how or whether it’s a sandbox escape? If it just spins up bad code in WhatsApp space, that’s sufficient to spy on you.
Cellular broadband modems are running a tiny OS that can be hacked by sending SMS messages with a carefully crafted NUL byte. Battlestar Galactica’s “no networking, no wireless” computer restriction exists for a very good reason.
I took it out because the thread was veering into generic flamewar about Israel. Actually we often remove country names from titles because they trigger people into making more nationalistic comments, which are equal parts indignant and boring.
That's a bit of a pathetic policy if you ask me. In my opinion a country who permits this type of behaviour shouldn't be shielded from the ensuing negative press. If anything it might encourage otherwise unaware citizens to put pressure on the government to do something about it.
I hear you. I agree with your second sentence. But I'm trying to protect HN, not Israel or anyone else. This place is fragile, and when people bring the fires of the world here, it can only take so much.
I wouldn't call that kind of title edit (taking out a country name) a policy. We have an ad hoc bag of tricks and sometimes we use one and sometimes another, depending on what feels needed. Do I know how unsatisfying that sounds? You bet. Do I get how it opens us to accusations of bias? I do, better than anyone else does. But the threads are too complicated to be managed with precise formalizations.
Dan, you know what would be cool for HN comments? The ability for each node of a thread to be annotated with topic names. For example, if the node close to the root node here were to be labelled "Israeli politics", I, a user interested in the technical aspects of the topic, can immediately avoid it. This feature will be a killer feature for all topics that have divergent sub-threads! (I haven't thought further than just the annotation by end user feature - so, whether it ought to be at user level or a global one ... I don't know). :-D
OT, but scroll down with “showdead” and it should become apparent exactly why. It is HN trying to promote substantive discussion on the topic without devolving into flame war.
WhatsApp voice calls used to inject Israeli spyware on phones
Messaging app discovers vulnerability that has been open for weeks
NSO's Pegasus software can allegedly penetrate any iPhone via one simple missed call on WhatsApp
Mehul Srivastava in Tel Aviv MAY 13, 2019 Print this page
A vulnerability in the messaging app WhatsApp has allowed attackersto inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.
WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.
The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.
WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, a person familiar with the issue said.
As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method.
Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to technology developed by NSO, which was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.
NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.
NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime.
In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday. The US Department of Justice has also begun looking into the situation.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
NSO declined to comment on whether it had hacked WhatsApp’s messaging service, and marketed the technology to clients, or on the US DoJ inquiry.
The UK lawyer, who declined to be identified, has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada, sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.
John Scott-Railton, a seniorresearcher at the University of Toronto’s Citizen lab, said the attack had failed.
“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”
Other lawyers working on the cases have been approached by people pretending to be potential clients or donors, who then try and obtain information about the ongoing lawsuits, the Associated Press reported in February.
“It's upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us, itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”
On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.
Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the ministry of defence to cancel NSO’s export licence.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.
“The Israeli ministry of defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”
Copyright The Financial Times Limited 2019. All rights reserved.
I'm not claiming consistency. For one thing, we don't come close to seeing everything that gets posted here. If you see a particularly bad post get away without moderation, the likeliest explanation is that we didn't see it. We can't be consistent about what we don't see.
There are a ton of other considerations, though, and it gets complicated quickly. I'm always happy to discuss specific cases, but general arguments are another matter. Sometimes it feels like people want us to make general arguments so they can find exceptions and then say things like "aha" and "your obvious bias" and "figures". But we don't have general policies about such complicated things. We have basic principles and that's it: https://news.ycombinator.com/newsguidelines.html.
If you don't think we've been trying to reduce nationalistic flamewar about China and Russia, you could try looking at HN threads on those topics. I don't know anything I've been working at harder lately. On the other hand, there's 100x more of those, especially on China, so cf. the first paragraph above.
If so, then maybe you can explain why you didn't change "Israel’s Beresheet Spacecraft Moon Landing Attempt Appears to End in Crash" and "A private spacecraft from Israel will attempt a moon landing Thursday" to "Private Spacecraft Moon Landing Attempt Appears to End in Crash" and "A private spacecraft will attempt a moon landing Thursday" respectively?
I think your attempt at reducing nationalistic flame wars is very misguided, because I want to read what people think. If HN readers want to flame each other then I would like to have the chance to read the flames even if I'd likely scroll past them. But if you are going to do it, at least be consistent.
In one case I didn't see the article and in the other it didn't cross my mind. But also, that topic isn't so highly charged, and I didn't see nationalistic flamewar getting in there.
You're asking for a level of consistency in moderation that we can't deliver. I'd have to hold 100x more information in my head to come up with a consistent set of principles that would cover everything we do. Such a set would be inordinately complicated and impossible to explain or defend, so what would be the point.
> I want to read what people think.
Me too. But you can't read everything people think, because comments influence what gets posted in response. If a discussion becomes a flamewar, you're going to get the angry thoughts of the flamers, but lose the thoughts of those the flames drive away. It's a tradeoff—we can't have both. On HN the non-flamey, thoughtful comments take precedence, because that's the only way to optimize for HN remaining interesting. This is one area where I think we really are consistent, or at least I hope we are.
Look at it this way: each post changes the kind of site HN is. The container isn't static—it's altered by what people add to it. Our goal is optimize that container for curiosity. This is a global optimization problem, so it's important not to get distracted by local optima. Our experience with things like nationalistic flames is that while such comments are sometimes interesting (and certainly the topics are of great world significance), the type of discussion they lead to is reliably worse. What we do is: extrapolate the vector of a given comment and ask what its shaping influence is on the site as a whole. Is it to make HN more, or less, interesting? Where more, we either do nothing or steer towards; where less, we steer away. In the case of flamewars, steering away means doing things to prevent the flames from spreading. There are various tools for that—digging trenches, pouring water, etc. Picking which to use where is more of an art and I wouldn't say we're particularly consistent on that level. But the fundamental principle is very consistent—there's only one, and it motivates literally everything we do here.
> In one case I didn't see the article and in the other it didn't cross my mind. But also, that topic isn't so highly charged, and I didn't see nationalistic flamewar getting in there.
They are right there, in light-gray color at the bottom of the respective articles. Now that you have been made aware for the problem, will you change those articles' titles? I don't understand how you can claim one title is "baitsy" while the other to examples are not.
But isn't it also baity to use 'used to'. My first reaction now was that Whatsapp itself has been inserting spyware into their phone calls, but no longer is (=used to), yet after reading the (non-paywalled) article I now see that a vulnerability in their signaling protocol has been used by others (=used to) to allow remote code injection.
Removing the creator of the spyware part from the title now causes the blame of the spyware to shift to Whatsapp, which is incorrect.
This is the same country that has a secret nuclear stockpile (developed in partnership with Apartheid South Africa) with plans to use the threat of bombing their European "allies" as blackmail.
The "Samson Option" is a conspiracy theory that if Israel is ever at the brink of destruction it will nuke Europe and America. It is a conspiracy theory based on the ramblings of one Israeli historian and one American author.
Israel has nuclear weapons and its MAD policies are probably the same as other nuclear powers.
It's funny because Putin has actually said that Russia will end up destroying the entire world in retaliation if Russia is ever attacked with nuclear weapons. But for some reason you don't see this quote get the same attention as the "Samson Option".
‘Why would we want a world without Russia?'
Days later, he reiterated his stance, implying that nuclear war — a “disaster for the entire world” — would be a response to a major attack against Russia: “as a citizen of Russia and the head of the Russian state, I must ask myself: ‘Why would we want a world without Russia?'”
> Israel has nuclear weapons and its MAD policies are probably the same as other nuclear powers.
But with a much more controversial relationship with it neighbours, who’s land it illegally occupies and state policies that are compared to apartheid policies.
Maybe that would explain the mysterious WhatsApp voice call I received about a week ago in the middle of the night from an unknown number? It's still in the history so maybe that means it didn't work?
I am not an expert on RCEs whatsoever but my limited knowledge / gut feeling tells me that one works by after a buffer overflow flipping some bits and
* invoking syscalls
* using (known) kernel vulnerabilities
* libc bugs
* exploiting buggy posix abstraction, etc.
However, here all platforms seem to be exploited, regardless kernels (darwin/linux/windows), process models, libc implementations etc.
I cannot unthink that this was simply doable because WhatsApp had already have code paths to place and run tasks/processes and this exploit works on this, higher level.
Google's Project Zero team investigated WhatsApp's and Facetime's video conferencing last year:
"Overall, WhatsApp signalling seemed like a promising attack surface, but we did not find any vulnerabilities in it. There were two areas where we were able to extend the attack surface beyond what is used in the basic call flow. First, it was possible to send signalling messages that should only be sent after a call is answered before the call is answered, and they were processed by the receiving device. Second, it was possible for a peer to send voip_options JSON to another device. WhatsApp could reduce the attack surface of signalling by removing these capabilities."
"Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three CVEs in FaceTime based on this work."
WhatsApp: https://googleprojectzero.blogspot.com/2018/12/adventures-in...
Facetime: https://googleprojectzero.blogspot.com/2018/12/adventures-in...
In both cases, the close source nature of the applications stymied their efforts. Looks like NSO was willing to spend more time and resources!