WhatsApp's Massive Security Flaw Serves To Remind Us The Limits Of Consumer Encryption Apps - Forbes

WhatsApp's Massive Security Flaw Serves To Remind Us The Limits Of Consumer Encryption Apps - Forbes

WhatsApp's Massive Security Flaw Serves To Remind Us The Limits Of Consumer Encryption Apps - Forbes

Posted: 24 May 2019 12:00 AM PDT

WhatsApp logo.

Getty

Facebook acknowledged last week a massive security vulnerability in its WhatsApp messaging software that allowed a commercial spyware company to install surveillance software on victims' phones merely by calling them. Exploiting a standard buffer overflow vulnerability in WhatsApp's call answering stack, the security issue was particularly devastating, allowing arbitrary remote code execution. While the vulnerability itself was quickly fixed, its existence in Facebook's marquee encrypted communications application reminds us that despite all of their marketing hype, consumer grade encrypted messaging apps are not necessarily as safe as the public might expect them to be.

The vulnerability afflicting WhatsApp was as mundane and common as they get in the cyber world: a simple buffer overflow exploit. Its location in the software's call answering stack, however, made it particularly devastating, meaning victims could be infected simply by having a malicious actor know their phone number, even if they didn't actually pick up the call. Worse, after infecting the user's device, the malware could erase all traces of the user even having received an unusual call.

While confirming the attack, Facebook offered few other details other than to recommend that users upgrade to the patched version of the client application immediately.

Given that samples were captured of at least some of the spyware variants that were known to be installed on victims' phones, this raises the question of whether Facebook would be making available a malware removal tool that would scan users' devices for the known malware. While this would remove only the previously identified spyware tools, it would at least offer users some peace of mind.

Asked whether the company would be distributing such a malware scanning tool as an option for concerned users, the company confirmed that it would not. Asked how users themselves might be able to determine whether they had been affected, especially those in high-risk communities, the company confirmed that there was no straightforward way to determine whether they had been compromised and that Facebook would not be providing any assistance to WhatsApp users to determine this.

Facebook's refusal to help its users is far from usual. Most consumer software includes legal clauses expressly disavowing any responsibility for damage to the user's device and few companies are willing to step forward to help users recover from a cyber incident without charging substantial fees.

Yet the biggest story is not that WhatsApp had a buffer overflow vulnerability or that a malicious actor actively exploited that vulnerability to install spyware on users' devices.

The real story is that this incident reminds us that consumer grade encrypted communications software is far from the hardened military protection that the general public often associate with them given the companies' own marketing campaigns.

Facebook has relentlessly touted WhatsApp as a security-first communications platform that offers "secure messaging" for "your most personal moments." The company's marketing literature heavily emphasizes WhatsApp's security features, touting its "secure" design and even recommending it for use by "airlines, e-commerce sites and banks," creating the impression of a highly secured enterprise application.

Nowhere on the main pages of WhatsApp's website is there a big bold disclaimer that it is a consumer application that should not be used for sensitive communications. In fact, quite the opposite unless one wades through the lengthy legalese of its terms of service document.

To the general public, WhatsApp might seem the perfect way to secure all of their communications. After all, if their encrypted web browser is safe enough to manage their bank account, an end-to-end encrypted messaging app touted as "secure messaging … [for] your most personal moments" and built by one of Silicon Valley's biggest internet companies must surely be as secure as they get.

The reality is that WhatsApp is still a consumer grade application. While any software may have vulnerabilities, the kinds of security reviews and rigorous testing that help ensure the security of military communications systems are simply not investments that companies are willing to make for free consumer software like WhatsApp.

This is not to say that WhatsApp is any less secure than any other encrypted messaging app, but rather that companies like Facebook need to be more upfront with their users to help them understand that these are still only consumer grade applications.

Of course, the past year's parade of security breaches has shone a harsh light on Facebook's relatively lax approach to the security of its products as a whole and a lack of rigor in its auditing and security review practices.

Asked how Facebook would respond to concerns that perhaps it has overhyped the "secure" nature of WhatsApp to the public and that it is not sufficiently investing in the security of its products, the company emphasized that it had corrected the vulnerability in question but did not comment directly on whether it agreed that there could be a mismatch between the company's portrayal of WhatsApp's security and the reality of it being a consumer product.

Putting this all together, last week's WhatsApp story reminds us once again that despite the plethora of encrypted and "secure" messaging applications available today, the majority are still consumer grade products that lack the same rigorous design and testing as the kind of military-grade software that consumers could be mistaken for thinking of them as given the marketing that surrounds them.

In the end, perhaps the WhatsApp breach might serve as a lesson to companies to be more forthcoming about the limitations of their software and to do more to help consumers recover from breaches. Unfortunately, that is unlikely to happen anytime soon.

Using secure chat is a moral imperative, and iMessage is my best option - The Verge

Posted: 13 Jun 2019 12:00 AM PDT

After years of refusing to turn on iMessage — even when I'm using an iPhone — I have flipped that little toggle button to on, and I don't know when (or if) I'll ever be able to turn it off again.

The decision to use iMessage is super minor for the vast majority of people, especially in America where Apple's messaging service has its strongest base of usage. But for me, it's extremely consequential and sadly informative about the state of messaging in this country.

My decision to flip on iMessage (and deal with the effects of that action, which I will get to) wasn't because of blue-bubble social pressure; that somehow turning on iMessage would subtly make it more likely that my own family talks to me more. It wasn't because iMessage is a better product than other chat apps — although it very much is from a regular user perspective. And it wasn't that I love Animoji.

It's simply this: I have come to believe that using a secure chat app is increasingly a moral imperative, and I have failed utterly and completely to convince enough people in my social network to switch to a third party, end-to-end encrypted chat app. Since I can't get my network to use something else, I owe it to them to use the thing they can't switch away from.

For the past few years, I've left iMessage off to make it easier for me to bounce between iPhones and Android phones. I review phones for a living, and so I need to switch phones a lot and prefer not to carry two of them around. Although Apple has made it slightly easier to turn iMessage off, there are still a ton of hassles involved. For me, it was better to just never use it and therefore never feel locked into Apple's ecosystem.

When I finally weighed the annoyance of carrying two phones against the worry that my contacts weren't using a private and secure chat method with me, privacy and security won.

More than anything else, this is my personal indictment against Google for utterly failing to come up with a viable alternative to iMessage for Android users. Yes, there are many successful chat apps used around the world on Android. But, again, in the US the chat app with the strongest network effect is iMessage.

Name a messaging app, and I have used it and tried to get my friends and family to try it. Most will gamely give it a shot, but most people on iPhones don't want to deal with a folder of chat apps and remembering which contact uses which app. They just want to tap the icon that says "Messages" and send messages.

And I have to admit that iMessage is great. It works seamlessly across multiple Apple devices, including the Apple Watch. It's fast, reliable, extensible, secure, and simple. It is everything that Google could have had if it hadn't frittered GChat away into Hangouts and then into I don't even know what. It's maddening because as big as the network effect for iMessage in the US may be, it is nothing compared to the potential network effect of Android, which has over 80 percent of the global smartphone market.

But Google isn't trying to leverage that market power — in fact, it seems like it is afraid to do so. Instead, it has chosen to act as though that power isn't real, perhaps in order to avoid even more antitrust scrutiny. It's a reasonable thing to be worried about, but it still sucks. Instead, Google is letting the phone carriers drive, with all-too-predictable consumer-hostile results.

Just over a year ago, Google revealed its plan for messaging to me: it was going all-in on RCS, the next-generation protocol designed to replace SMS. The rollout of RCS has been slow — very few people have actually seen the word "text" turn to "chat" in their messaging app, which is the subtle indication that the conversation is now happening over RCS. It happens not just carrier by carrier, but phone by phone.

What's worse: RCS is not end-to-end encrypted. It follows the same rules as standard SMS text messages. Providers can keep copies in their servers, fully readable by anybody with access to them, fully available to any government that successfully issues a subpoena.

Google has, in effect, ceded the entire market after years of self-inflicted failures in messaging. This year, at Google I/O, the head of Google's communications group Hiroshi Lockheimer admitted that he was dissatisfied with the pace of adoption for RCS. He also suggested that it would be possible to layer end-to-end encryption on top of RCS at some point in the future.

Unfortunately for Android users, broader adoption of RCS and the glimmer of hope that it might be secure by default someday are both in the hands of the carriers. Those carriers have other priorities vying for their attention: mergers, 5G, and television services to name but three.

As the cliche goes, I don't think I have anything to hide from any government (though, as a journalist, I suspect that's not entirely true). But as the cliched response goes: that's not the point. Everybody deserves and should expect a basic level of privacy protections, and end-to-end encrypted chat should be the rule, not the exception. Privacy isn't just for people savvy enough use the right app or flip the right button.

It should be simple. It should be easy. It should be the default. That, if nothing else, is the genius of iMessage. I hate the lock-in. I hate that it co-opts text messaging in such a way that invisibly opts Apple users in without their active choice. I hate that it's only available on Apple products. But I love that iMessage makes it easy for my friends and family to have a default-secure way to text me. That is why I switched.

My preferred texting app is Signal, but the barrier to get iPhone users in the US to switch is still too high. Which is a remarkable thing to say, because I don't know how it could get much lower: you install a free app and you plug in your phone number. Done and done.

I don't think I could argue from a legal perspective that iMessage counts as some kind of monopolistic lock-in, but from an everyday perspective it certainly feels like one. It is the power of the default, and if you wanted to draw parallels to concerns about the default browser on Windows in the '90s or on Android phones in the EU today, I wouldn't strenuously argue against you.

As for me, I have committed to having an iPhone in my pocket for the foreseeable future. That doesn't mean I won't also have an Android phone in another pocket (I usually will). I'm privileged to be able to make that choice, but there are millions of people who — for whatever reason — cannot switch from Android to iPhone. That's why I have argued that although there isn't a business case for bringing iMessage to Android, there is a moral one.

Three years ago, my friend Lauren Goode wrote about her inability to switch away from the iPhone, calling iMessage the glue that kept her stuck. For me, the appropriate metaphor isn't glue but rather gravity: I got pulled back down to it.
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more