NSO Group

Auto Added by WPeMatico

Decrypted: The tech police use against the public

There is a darker side to cybersecurity that’s frequently overlooked.

Just as you have an entire industry of people working to keep systems and networks safe from threats, commercial adversaries are working to exploit them. We’re not talking about red-teamers, who work to ethically hack companies from within. We’re referring to exploit markets that sell details of security vulnerabilities and the commercial spyware companies that use those exploits to help governments and hackers spy on their targets.

These for-profit surveillance companies flew under the radar for years, but have only recently gained notoriety. But now, they’re getting unwanted attention from U.S. lawmakers.

In this week’s Decrypted, we look at the technologies police use against the public.


THE BIG PICTURE

Secrecy over protest surveillance prompts call for transparency

Last week we looked at how the Justice Department granted the Drug Enforcement Administration new powers to covertly spy on protesters. But that leaves a big question: What kind of surveillance do federal agencies have, and what happens to people’s data once it is collected?

While some surveillance is noticeable — from overhead drones and police helicopters overhead — others are worried that law enforcement are using less than obvious technologies, like facial recognition and access to phone records, CNBC reports. Many police departments around the U.S. also use “stingray” devices that spoof cell towers to trick cell phones into turning over their call, message and location data.

Powered by WPeMatico

WhatsApp hits 2 billion users, up from 1.5 billion 2 years ago

WhatsApp, the most popular messaging app, revealed today just how big it has become. The Facebook -owned app said it has amassed two billion users, up from 1.5 billion it revealed two years ago. It also remains free of ads and does not charge its users any fee.

The announcement today makes WhatsApp only the second app from Facebook to join the two-billion-users club. (Facebook’s marquee app has 2.5 billion users.) In an earnings call in late January, Facebook also noted that that there were 2.26 billion users that opened either Facebook, Messenger, Instagram or WhatsApp each day, up from 2.2 billion last quarter. The family of apps sees 2.89 billion total monthly users, up 9% year-over-year.

WhatsApp, founded 11 years ago and sold to Facebook for $19 billion six years ago, took the opportunity today to reiterate that it is committed to providing end-to-end encryption to its customers all over the globe — a crucial feature lauded by security experts everywhere but something that many governments are increasingly trying to contest.

“Strong encryption acts like an unbreakable digital lock that keeps the information you send over WhatsApp secure, helping protect you from hackers and criminals. Messages are only kept on your phone, and no one in between can read your messages or listen to your calls, not even us. Your private conversations stay between you,” WhatsApp wrote in a blog post.

Among the governments that are attempting to force WhatsApp into dropping encryption is India (which happens to be WhatsApp’s largest market, with 400 million users), Australia and the U.S.

Will Cathcart, the chief executive of WhatsApp, has said in the past that the messaging platform will fight for the privacy of its users. This was on display last October, when WhatsApp filed a suit in federal court accusing Israeli mobile surveillance maker NSO Group of creating an exploit that was used hundreds of times to hack into targets’ phones.

“Strong encryption is a necessity in modern life. We will not compromise on security because that would make people less safe. For even more protection, we work with top security experts, employ industry leading technology to stop misuse as well as provide controls and ways to report issues — without sacrificing privacy,” the company said today.

The two-billion milestone is a big feat for WhatsApp, which gained immense popularity without any marketing in developing markets such as India, where calls and texts were fairly expensive for most people. There is no app in India today that has a greater penetration than WhatsApp, for instance.

But even as WhatsApp has amassed all the users in the world, it is still struggling to make any substantial contribution to Facebook’s bottom line. In recent years, WhatsApp has introduced tools for businesses to connect with their customers. But something even more interesting has happened in the meantime.

Scores of startups in developing markets today are building businesses around WhatsApp. Vahan, a Y Combinator-backed startup, uses WhatsApp to help delivery startups find blue-collar workers. Digi-Prex, a Hyderabad-based startup, runs an eponymous online subscription pharmacy to serve patients with chronic diseases. Patients share their prescription with Digi-Prex through WhatsApp and the startup’s workers then deliver the medication to them on a recurring cycle.

I think the next justdial will be built on top of @whatsapp … especially for India (or other markets where WhatsApp is big)

anyone working on this?

— miten sampat (@miten) February 11, 2020

But this immense popularity has also created other challenges for WhatsApp. The platform has been used to spread false information that has resulted in gruesome fatalities in real world. WhatsApp has rushed to make product changes and run campaigns to educate users, but it’s a long battle.

Powered by WPeMatico

WhatsApp exploit let attackers install government-grade spyware on phones

WhatsApp just fixed a vulnerability that allowed malicious actors to remotely install spyware on affected phones, and an unknown number reportedly did so with a commercial-grade snooping package usually sold to nation-states.

The vulnerability (documented here) was discovered by the Facebook-owned WhatsApp in early May, the company confirmed to TechCrunch. It apparently leveraged a bug in the audio call feature of the app to allow the caller to allow the installation of spyware on the device being called, whether the call was answered or not.

The spyware in question that was detected as having been installed was Israel-based NSO Group’s Pegasus, which is usually (ostensibly) licensed to governments looking to infect targets of investigations and gain access to various aspects of their devices.

This is, as you can imagine, an extremely severe security hole, and it is difficult to fix the window during which it was open, or how many people were affected by it. Without knowing exactly what the exploit was and what data WhatsApp keeps regarding that type of activity, we can only speculate.

The company said that it suspects a relatively small number of users were targeted, since it would be nontrivial to deploy, limiting it to advanced and highly motivated actors.

Once alerted to the issue’s existence, the company said it took less than 10 days to make the required changes to its infrastructure that would render the attack inoperable. After that, an update went out to the client that further secured against the exploit.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.

So what about NSO Group? Is this attack their work as well? The company told the Financial Times, which first reported the attack, that it was investigating the issue. But it noted that it is careful not to involve itself with the actual applications of its software — it vets its customers and investigates abuse, it said, but it has nothing to do with how its code is used or against whom.

WhatsApp did not name NSO in its remarks, but its suspicions seem clear:

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”

Naturally when a security-focused app like WhatsApp finds that a private company has, potentially at least, been secretly selling a known and dangerous exploit of its protocols, there’s a certain amount of enmity. But it’s all part of the 0-day game, an arms race to protect against or breach the latest security measures. WhatsApp notified the Department of Justice and “a number of human rights organisations” of the issue.

You should, as WhatsApp suggests, always keep your apps up to date for situations like this, although in this case the problem was able to be fixed in the backend before clients could be patched.

Powered by WPeMatico