Of Governments and Cybercriminals
Imagine being one of the richest people on the planet, and having your nude photographs stolen from your smartphone. Imagine the frustration when you’re powerful enough to affect international trade, but your marriage is held hostage by the actions of hacker. At a certain point in the life of Jeff Bezos, owner of the Washington Post and founder of Amazon, it would have been reasonable to think that things couldn’t get any worse.
Then they got worse.
Last week, vice.com blog published the full findings of a forensic investigation performed on on Bezos’ iPhone (1), and although no malware was found on the device, there are strong indications that spyware was transmitted from the WhatsApp account belonging to Mohammad Bin Salman, Crown Prince of Saudi Arabia. According to a Guardian report, it wasn’t only his iPhone that was compromised this way by Saudi officials, friends and colleagues of journalist Jamal Khashoggi had also experienced similar attacks (3). What makes this particularly worrying for Bezos is that he appears to have caught the attention of Mohammad Bin Salman, who is also being accused of orchestrating the murder of Jamal Khashoggi in Istanbul in 2018 (2).
So how is it possible for someone’s life to be so readily compromised if there was no malware behind it?
Anyone who has ever used E-Mail knows that you never click on links or open attachments from unknown sources. It’s even become standard that most E-Mail clients do not allow attachments or images to be automatically opened, and even the pre-loading of images is disabled by default. When it comes to E-Mail, people understand the dos and don’ts, but being security conscious in this way doesn’t seem to apply to Messenger apps. Maybe it’s a combination of apps being closed systems so there aren’t that many settings to worry about, or maybe it’s because app creators know that user convenience is king. Even if the automatic preview of incoming files can be disabled, as is the case in Telegram messenger, it’s mostly enabled by default because people just want things to work. The problem is that they don’t ever wonder what the tradeoff is for this level of convenience.
So when Jeff Bezos received the message, it probably didn’t cross his mind to question the message or to double check if it was safe to watch the video. But with smartphone apps it’s not even as convenient as looking at the app, or the individual, because it’s the curse of convenience which basically complicates things further by adding more grey areas. In theory, the preview of that video would have been sufficient for the attack to succeed – but if the user doesn’t preview the video then they’re safe right?
In this specific case, Facebook claims the vulnerability abused was not a WhatsApp-bug, but rather an IOS-bug (8). Because it is possible to have previews of incoming messages in parts of the operating system, such as the lock screen, the phone’s operating system would need to access the content of messages as well. So this means that by trying to be helpful and give the user a preview of a message they would never have clicked on themselves, the phone OS can end up installing the malware.
According to the forensic researchers that have researched Jeff Bezos iPhone, the software used to epxloit the vulnerabilities was purchased from a company that provides spyware for governments worldwide. One example of such company is the Israeli NSO group (4), who has been sued by Facebook / WhatsApp for the abuse of their messenger apps. An older vice.com blog describes the contents of the lawsuit and how NSO group operates (5).
There were reports relating to some early Android versions, where the operating system prevented users from changing certain settings which made it practically impossible for users to protect themselves from execution of malicious incoming files. WhatsApps’s own Signal protocol has also reportedly had vulnerabilities found and abused by third parties like the NSO group or FinFisher.
These days desktop computers have become relegated for business use, while personal communication has largely shifted to mobile – because you can take it with you wherever you go. This means that the data generated on mobile devices becomes much more valuable because of how much more of the person’s life it touches – which then makes mobile devices a much more interesting target for malicious actors.
While large tech companies generally refuse to allow governments backdoor access to their applications to prevent citizens being spied on, some of the very same governments engage with organizations that take advantage of software vulnerabilities. Interestingly, these organizations employ the same methods as cyber criminals when they attack their victims. Wikipedia mentions Germany, Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain as countries where software from NSO group or Finfisher (6) has been used.
While the data is currently the most appealing asset in your mobile device, it’s important to note that a compromised phone would also give access to all your other channels including E-Mail, chat, messenger, SMS, etc. Trends in E-Mail consumption already show that more than half of all E-mails is being read on mobile devices. This is where E-Mail may become the target of attacks more often in the future, rather than just the tool for transmission of spyware. Imagine what someone with control over Jeff Bezo’s phone could achieve pretending to be him…
But the thing is, with E-Mail the challenge is to detect if the person you believe to be speaking to actually is the person you are speaking to. Even with mechanisms like SPF, DKIM and DMARC that help make sure that an E-Mail message look entirely authentic, you can’t be sure because it’s much easier to attack and abuse any open protocol than it is to attack and abuse proprietary software, which is usually owned and hosted by one single multinational.
In contrast to E-Mail, most messengers largely verify users by their SIM-cards’ numbers, not leaving much room for doubt about their identity – even though this confirmation of identity can ironically become a threat to the users’ anonymity. But there is some hope as there is one app which attempts to balance user anonymity and sender authentication is Telegram messenger (7). Since mobile apps are all designed around convenience, it also introduces further risks because a compromised phone will still be sending as the legitimate owner – which then neutralizes any benefits that anti-spam measures may bring, e.g. spam from Jeff Bezos’ phone will in fact be from Jeff Bezos…
Pretty much any provider for software or technology will have loads to say about their dedication to security and privacy, etc. – because on average they all generally do try to keep their customer safe. Unsecured data doesn’t result in a very good long-term userbase for anyone. However, most vulnerabilities used to attack any software are so-called zero-day-bugs – which ironically are introduced as software is updated, or other bugs are fixed.
To help encourage user-safety a lot of providers have rewards programs where individuals, or hackers, who find security flaws can report these for a reward. However, the reward they receive from the software company is not always as high as the amount they can earn by selling this information on in the darker corners of the web.
Wikipedia reads “While selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is a lot of controversy over the method of disclosure. A 2006 German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.” (9).
So as usual with regards to security it’s an arms race – with some very shady actors involved.
But what is possibly confusing is when Governments spend tax money to buy licenses for the kind of tools that would allow them to steal data, e.g. like when the German government spent 147.000 Euro on tax money to buy a license for Finfisher’s FinSpy in 2013 (10). On the face of it, it looks like quite the contradiction – on the one hand how trustworthy does that make the government, but on the other is it because they want to use the same kind of tools to test their own security?
It’s a dark day when you start wondering if the leader of a country has abused day-to-day communication tools to the extent where murders are orchestrated, or to blackmail one of the richest men on earth. It reads more like a crime thriller you’d take on holiday. But when the same tools that cyber criminals use are available to well-funded government actors, then where does it all end? Wikipedia quotes: “In June 2018, an Israeli court indicted a former employee of NSO Group for allegedly stealing a copy of Pegasus and attempting to sell it online for $50 million worth of cryptocurrency.” (4).
I’m not sure if there is any positive aspect to E-Mail in this story. We are still struggling to authenticate the legitimacy of senders and many E-Mail experts still live in a bubble where they aren’t looking beyond their channel of choice. The past 10 years in E-Mail security was mainly about authenticating E-Mail with SPF and DKIM, and the reason we need to patch SPF and DKIM with DMARC was mainly the ignorance of our own policies and mechanisms.
But now we live in times where each messenger can do end-to-end encryption straight out of the box, but with E-Mail, the same level of security is still a huge challenge. Because E-Mail isn’t an app but a channel at the mercy of a number of different mechanisms, and protocols it’s much harder to ensure a unified level of security. But to make E-Mail safe it would require a monumental collaborative effort across a host of different stakeholders, which is a hard sell given that the benefits for that isn’t as high as say developing the next big communications app.
But at the same time, with vulnerabilities having been reported in the Signal protocol that WhatsApp uses, it opens up the possibility of it being taken advantage of by software from the NSO group and FinFisher. So when looking at communications from a single device, then it’s important to remember that the chain of communication is only as secure as its weakest link, or app.. or OS!
Maybe it’s time to look beyond our bubble and realize that despite all the security measures we’re putting together for E-Mail, it’s now the stronger part of a pretty weak chain. If any spammer ever gets hold of Pegasus-like technology, they can start sending spam straight out of our pockets and sender authentication will not solve that problem – because in more ways than one your phone is now the digital version of you.
Convenience will be the death of our security.