WhatsApp has endured a difficult 2019 on the security front, with stories of nation-state hacking campaigns and multiple vulnerabilities, even as it battles with governments and their agencies over its insistence on end-to-end encryption. And now, just as the year draws to a close, there’s news of yet another security threat that has compromised the integrity of the platform. The risk this time is from specially crafted “app killing” messages that crash WhatsApp severely enough that users are taken offline and may find it difficult to recover.
Are you at risk?
WhatsApp has patched the issue—it did so in September when it was first privately disclosed by cybersecurity researchers at Check Point. But if you have not installed a new release since before that time you remain at risk. Check Point “urges all WhatsApp users to update to the latest version of the app immediately.” WhatsApp also maintains that the threat is obscure, never likely to impact users in the real world. In this they are wrong and have missed the reason the issue is so important and carries such potential critical risk.
To understand why that’s the case, let’s look at the threat itself and how it works. The exploit is unnervingly simple. It relies on two separate security vulnerabilities in WhatsApp, both now patched. The first is that any user could be added to a group without needing to consent, that user then receives messages sent to the group; the second is that the metadata built into a message can be manipulated to break the WhatsApp phone app when that message is received. Combine the two vulnerabilities together and you have a frightening new attack vector.
Get started on your cybersecurity degree at American Military University.
Let’s look at how a nation state bad actor might exploit such a vulnerability. If I have the phone numbers of a group of reporters or activists or dissidents, I can add those numbers to an unwanted group and then send that group an “app killing” message. I would do that all at the same time. The first a target would know of the threat is when an innocuous, likely socially engineered “WhatsApp Killing” message is received. As soon as that message is opened, WhatsApp will crash, failing to restart until it is deleted and reinstalled. If users don’t have current backups then their data will be lost. I could mount this attack ahead of a protest or political event, or I could use it to take one or more individuals offline.
Check Point researcher Oded Vanunu explained to me that these “app killing messages” present a critical risk, “denial of service scenarios have been seen before on WhatsApp,” he said, “but not where you need to uninstall the app. This is very aggressive. Users who do not back up will lose everything. Users that are not technical won’t be able to activate WhatsApp any more.”
A WhatsApp spokesperson told me that the platform “greatly values the work of the technology community to help us maintain strong security for our users globally—we quickly resolved this issue for all WhatsApp apps in mid September. We have also recently added new controls to prevent people from being added to unwanted groups to avoid communication with untrusted parties all together.”
WhatsApp either doesn’t know or won’t share the percentage of its vast user base that has shifted onto patched versions of its apps. This issue seems to hit Android rather than iOS. But that advice, to ensure your messaging platforms are always up-to-date, should be followed by all users on all platforms.
This issue also highlights the vulnerability of groups. Most of us now belong to countless groups—large and small. And many of those groups have growing or changing memberships. It’s worth being mindful of how many groups you belong to—especially groups you don’t recognise or no longer use, how those groups are administered, and even checking periodically on those memberships lists.
How does it work?
The latest vulnerability can be seen in Check Point’s proof of concept video and messaging screenshot below, with the group chat message manipulated with erroneous metadata. When WhatsApp fails to process that data, it is forced into a crash loop impacting all group members. There is no way out. “The group chat cannot be restored and needs to be deleted.” The app itself must be reinstalled.
The team at Check Point has made deconstructing WhatsApp security something of a speciality. Vanunu told me they research WhatsApp protocols “because its infrastructure allows malicious users to manipulate messages and distribute fake news—we wanted to understand how this is possible on an encrypted platform.” The team says WhatsApp provides “threat actors with an additional weapon in their arsenal to leverage the messaging platform for their malicious intentions.”
“By sending this message,” Check Point explains, “the WhatsApp application will crash in every phone that is a member of this group.” Worse, the crash will repeat every time the app is reopened, forcing all users to delete the app and then reinstall it. Beyond the communications denial of service, once you know a user has been pushed from one platform you can mount an attack on another. “Say I want to infect you,” Vanunu tells me. “I know my infection exploit only works on SMS, so I DoS your WhatsApp, and then phish you with an SMS to infect you.”
This isn’t the first time
This latest issue comes hot on the heels of others for WhatsApp—and it’s a worrying pattern. The year’s lowlight was undoubtedly the alleged hacking of dissidents and activists by Israeli spyware firm NSO, as I reported in May. WhatsApp confirmed that the attack would “take over the functions of mobile phone operating systems.” There were material implications for the safety and security of lawyers, journalists and activists, and Facebook instigated legal action against NSO as a result of the attack to protect the integrity of its technology.
But that was not an isolated security breach. In October, I reported on a WhatsApp flaw that allows an attacker to use a “malicious GIF image” to potentially access user content. WhatsApp quickly patched the issue. Then in November, I reported that Facebook had quietly confirmed another security vulnerability that would expose users to the risk of malware being planted on their devices through “specially crafted MP4 files” sent via WhatsApp. The company discovered and patched the issue before, it said, any exploitation could take place.
What next for WhatsApp?
The WhatsApp team and owner Facebook takes security seriously—difficult to argue it’s “in their DNA” without doing that. And the platform’s security issues are not unique. We have seen others exposed—particularly rival Telegram, and the standard SMS alternative is wide open to attack. But WhatsApp has become the mass-market security standard bearer, and that’s why this hits so hard.
On the encryption front, Facebook is making a stand alongside other U.S. tech giants, with company spokespeople describing government requests to open encryption to lawful intercept as “a gift to criminals, hackers and repressive regimes,” exposing users to “real-life harm.” And for that the security community applauds the platform. But, at the same time, this is Facebook, and that means inevitable skepticism as future plans to monetise WhatsApp unfold.
WhatsApp has become and remains a target for threat actors because of its ubiquity. You can pretty much guarantee it will be installed on a target device, and that makes finding its security vulnerabilities a worthwhile venture. It is going on right now—as ever in security, we only report on the exploits we know about.