A serious vulnerability in WhatsApp

Critical WhatsApp Vulnerability, Facial Recognition Ban, Wormable Flaw in Windows

Play episode

This is your Shared Security Weekly Blaze for May 20th 2019 with your host, Tom Eston. In this week’s episode: A serious spyware vulnerability in WhatsApp, San Francisco bans facial recognition, and a wormable vulnerability in older Microsoft systems.

Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Facebook has revealed a major vulnerability in its popular WhatsApp messaging app which is used by 1.5 billion users. This vulnerability allows malicious spyware to be installed by initiating a call over WhatsApp’s voice calling feature. The vulnerability is so serious that the spyware would be installed even if the call wasn’t picked up. WhatsApp said that only a select number of users were victims and that the vulnerability affects all but the latest version available for Apple iOS and Android. Now it should be no surprise that this spyware was also linked back to the infamous Israeli NSO Group which is known for selling highly advanced spyware to governments and nation states. We’ve mentioned the NSO Group many times on the podcast before when we had talked about their Pegasus spyware which can read messages, turn on the microphone and camera and completely take over the device. Of course reports say that the NSO Group has denied any involvement in the WhatsApp vulnerability. WhatsApp has fixed the vulnerability and if you happen to use WhatsApp you need to update to the latest version immediately.

What’s really disturbing about a vulnerability like this is that you as the victim can’t really do anything to protect yourself, except not have the app installed. We’re seeing more of these types of vulnerabilities and many of them are taking advantage of zero-day vulnerabilities where only the exploit developer has the exploit, and the device manufacture like Apple is unaware. This is not going to be the last time we see something as dangerous like this so our best advice is to keep your device and apps always updated. That’s about all you can do to protect yourself, or just not use a mobile phone.

The other controversy around the WhatsApp vulnerability I want to talk about was a related story that came out in a Bloomberg article which said that end-to-end encryption is nothing but a marketing gimmick. The article went as far to say quote “End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.” end quote. First of all, this is wrong and extremely misleading. But don’t take my work for it, the cybersecurity community reaction on social media was swift to dismiss the FUD being thrown in this article. Look, zero-days and app vulnerabilities aside, end-to-end encryption is not a gimmick. It’s a real and very important technology to protect your information. End-to-end encryption has nothing to do with this particular vulnerability as the exploit completely compromises the device not the transit of messages themselves which is what end-to-end encryption protects. Oy vey. Check out our show notes to read this terrible article for yourself. And let’s hope news organizations like Bloomberg will learn that click-bait articles like this one are dangerous and don’t help anyone stay more secure.

In breaking news last week, San Francisco became the first city in the US to ban the use of facial recognition by police and several other local government agencies. Facial recognition has been used by police and other law enforcement for over a decade now but more recently this technology has come under great scrutiny because of privacy concerns as well as the risk of government abuse. Not only that, but there is concern about facial recognition technology not having a 100% success rate, meaning, there is a risk of people being falsely identified if law enforcement was using this technology, in say an investigation.

As I’ve mentioned on previous episodes of this podcast, US Customs and Boarder Protection are now using facial recognition at airports and ports of entry for the last several weeks now. There is some good news, that there seem to be ways to opt-out of facial recognition if you don’t want your face scanned, but reports say that if you’re not a US citizen you can’t opt-out. Now not being able to opt-out is one thing but what’s really fascinating is that this technology has become so common that even our personal devices have it installed by default. For example, you can use FaceID to unlock your iPhone or login to your Windows PC using Windows “Hello”. While there is less of a privacy concern since these are devices we own and control, the bigger concern is that in larger surveillance situations, like in large public areas that are using facial recognition, we all unwillingly become a subject and potential suspect in which it becomes impossible to opt out. So have we gotten to the point that we have no choice but to trade our privacy for mass surveillance which uses a technology which isn’t 100% accurate? I think San Francisco is on to something and let’s see if other US cities follow suit.

And now a word from our sponsor, Edgewise Networks.

Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.

Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.

Visit edgewise.net to get your free month of visibility.

Late last week Microsoft took the unusual step to release several critical security updates for out of support operating systems like Windows Server 2003, and Windows XP. Other updates were also issued for Windows Server 2008 and Windows 7 which are still being supported by Microsoft. This update fixes a critical Remote Code Execution Vulnerability in Remote Desktop Services or also known as Terminal Services back in the day. This particular vulnerability requires no user interaction and is ‘wormable’, meaning, if malware was to exploit this particular vulnerability it could easily be spread to other systems that are also vulnerable. You may remember that back in 2017 the WannaCry ransomware spread in a similar fashion which used the “EternalBlue” exploit that was developed by the NSA. That exploit was leaked by the Shadow Brokers hacking group which published several hacking tools and zero-day exploits leaked from the NSA.

The bottom line here is that hopefully all of you listening to this podcast are no longer using ancient and outdated operating systems like Windows XP. However, the reality is that these systems are still being used. In 2017 when WannaCry was released it was estimated that over 200,000 Windows XP computers across 150 countries were infected. Just recently, I saw people posting pictures on Twitter showing Windows XP being used in a dentist office, hospitals and other systems like digital signs at airports. Now, older systems in the healthcare industry is actually pretty common. There is always the attitude of, if it’s not broke, why fix it and these systems may not be connected to a network or the Internet, as they may just run a unique type of software for a medical device. Still, business and consumers alike need to upgrade or decommission older systems like these because the longer they stay in use, history shows us the more vulnerable they become.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

More from this show

Leave us a Review

Signup for our Newsletter

Follow Us