WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated]

[killhippie]

Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.

Israel makes loads of telecoms equipment for Europe and maybe even the USA under the name ECI. Now I don't use WhatsApp, never have but I do find it ironic that Huawei are being banned left right and centre yet ECI based equipment isn't, and now WhatsApp gets caught being a bad actor. I guess it depends on how friendly you are with your spying counterparts and what financial arrangements you have in place with them, as I'm sure every country knows exactly who is spying on who globally. It's good that iOS is so secure though, as Tim says what happens on your iPhone stays on your iPhone, oh hang on...

 

[gnasher729]

I found a link to the original Times article, and it is clear that the MacRumors article is mixing things up.

From the article: "Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call." So WhatsApp has a vulnerability, which lets an attacker break into the WhatsApp up. No mention of installing applications on the phone. No mention that they could affect anything outside WhatsApp.

Then later the article says that in 2016 the same company producing this exploit _was_ able to install software on an iPhone, using vulnerabilities that were present in 2016. So they cannot do this today, with or without WhatsApp exploit.

Yes I was thinking that. I mean Whatspp was obviously buggy, or considering Facebook own it it was by design.... anyway, it had this bug that allowed it to completely bypass any and all iOS security??
That’s a failure of the iOS coding is it not? It’s not protecting those back doors.

According to the New Times article, which is much clearer than the MacRumors one, no. There was no exploit against iOS. This attack was against the WhatsApp app only.

 

[canny]

Thank you Israel. Very cool.

 

[fairuz]

So a bug in WhatsApp can install unsigned apps? That sounds like iOS has the bigger security bug

No, the article didn't suggest that, but they aren't clear either. From what I gather, attackers can take over the running WhatsApp instance only. That's pretty useful since most people will probably have given it voice and video, probably camera roll, and maybe contacts access.
[doublepost=1557821868][/doublepost]

Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.

I don't find this disturbing because they didn't infiltrate a supply chain or anything. They only used what everyone else has access to, WhatsApp's public-facing servers. They didn't create the vulnerability, rather they discovered it, so this is only about information.

Hardware hacks scare me. The alleged spy chip in SuperMicro servers, if it were real, would've been reason to panic. That is creating a vulnerability, and few can do anything about it.

Now, I strongly dislike Netanyahu's administration and our relations with it and am not comfortable with Israel in general, but that's for other reasons.

 

[makitango]

This is just the tip of the iceberg. All I read is that there should be a system
in place preventing the install of unsigned apps in the first place. Enterprise/developer apps need certificates so how does this work?

 

[fairuz]

I found a link to the original Times article, and it is clear that the MacRumors article is mixing things up.

From the article: "Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call." So WhatsApp has a vulnerability, which lets an attacker break into the WhatsApp up. No mention of installing applications on the phone. No mention that they could affect anything outside WhatsApp..

MR didn't say they installed another app or broke into the system. "Installed software" sounds like that, but inserting code into the running WhatsApp process is installing software technically. It's very misleading wording, and probably very few would read it the way I described. MR ought to revise.

 

[33man]

Swiss government has banned whatsapp for the members of the government...

Beside that, huawei is one of the antenna cell phone provider... So well, if it isn't the app that spies you, it's the network infrastructure and if not it's the FBI with patriot act

So well... My only question is :

Did whatsapp the same as Apple with the facetime group chat bug, de-activating all impacted versions? Forcing the update to the users?

 

[cavi]

Some facts:
1. NSO is an Israeli based company – not Israel.
2. The Israeli law bans the export of technologies such as NSO’s without the right permits (which is given to countries and certified organizations) – if NSO is selling to others, it is an illegal act.
3. NSO’s technology saved thousands over the world already.

 

[thasan]

Some facts:
1. NSO is an Israeli based company – not Israel.
2. The Israeli law bans the export of technologies such as NSO’s without the right permits (which is given to countries and certified organizations) – if NSO is selling to others, it is an illegal act.
3. NSO’s technology saved thousands over the world already.

lol. Right. Judging by the looks of it, Huawei is a much cleaner company compared to this. Not sure how you got to point 3. But please, tell this fairytale to his family: "The company has previously been accused of selling software used to spy on the phone of the murdered Saudi Arabian journalist Jamal Khashoggi." and all the innocent civilians and peaceful activists killed in the name of "terrorism".

 

[cavi]

lol. Right. Judging by the looks of it, Huawei is a much cleaner company compared to this. Not sure how you got to point 3. But please, tell this fairytale to his family: "The company has previously been accused of selling software used to spy on the phone of the murdered Saudi Arabian journalist Jamal Khashoggi." and all the innocent civilians and peaceful activists killed in the name of "terrorism".

NSO's existence is based on idea that its technology will help to save lives. I have no idea (and not either you...) if they are selling their tech to non-approved organizations. moreover, even if they sold already their technology to a country or organization which used it for an activity which isn't the stated activity (such as Khashoggi's murder, as alleged), NSO is banned from selling additional technology to this state or organization.

 

[Lexdexia]

I remember some shills were saying WhatsApp is more secure than iMessage, Telegram, Signal, etc.

Lmao nice try I’m not trusting anything from Facebook.

 

[realtuner]

Yes I was thinking that. I mean Whatspp was obviously buggy, or considering Facebook own it it was by design.... anyway, it had this bug that allowed it to completely bypass any and all iOS security??
That’s a failure of the iOS coding is it not? It’s not protecting those back doors.

Yet again more lies.

This never bypassed “any and all iOS security”. They only compromised WhatsApp itself.

Also curious how you never mentioned it supposedly bypassing Android security, since this exploit also worked on WhatsApp for Android.

 

[0947347]

Anyone else find it extremely disturbing Israelis spying?

Luckily they don’t make phones.

Be careful, saying anything unfavourable about Israel, is called antisemitism now
They are the good ones, apparently, because they said so.

 

[gnasher729]

iOS has been cracked most likely, the information just hasn't been leaked. There's nothing in this day and age that can't be exploited.

According to the original source, no. iOS has NOT been cracked. The first line of the MacRumors article is wrong, mixing up the WhatsApp hack and other exploits from 2016.
[doublepost=1557847999][/doublepost]

This is just the tip of the iceberg. All I read is that there should be a system
in place preventing the install of unsigned apps in the first place. Enterprise/developer apps need certificates so how does this work?

No unsigned apps have been installed through this hack.

 

[makitango]

No unsigned apps have been installed through this hack.

So what is the nature of this spyware? Is it a profile? How does data get collected?

 

[A.Goldberg]

Israel makes loads of telecoms equipment for Europe and maybe even the USA under the name ECI. Now I don't use WhatsApp, never have but I do find it ironic that Huawei are being banned left right and centre yet ECI based equipment isn't, and now WhatsApp gets caught being a bad actor. I guess it depends on how friendly you are with your spying counterparts and what financial arrangements you have in place with them, as I'm sure every country knows exactly who is spying on who globally. It's good that iOS is so secure though, as Tim says what happens on your iPhone stays on your iPhone, oh hang on...

I think it’s pretty well known that everyone spies on everyone. Remember how the US was caught having tapped Angela Merkel’s phone? Just as PRISM was a dragnet on American citizens, they have similar programs for international purposes. Mossad agents have been caught countless times in the US. The “5 eyes” countries often spy on each other’s citizens at the target nation’s behest to circumvent the nations laws.

I suspect it’s an understood reality between nations. The benefits of sharing intelligence probably far outweighs the fuss of political drama. And as alluded to before, some information gained by a foreign nation spying can be beneficial to the nation being spied upon.

It also doesn’t seem too problematic for individual politicians (ie Trump and Clinton) to use foreign entities directly or indirectly to obtain dirt on their opponents.

 

[apolloa]

Yet again more lies.

This never bypassed “any and all iOS security”. They only compromised WhatsApp itself.

Also curious how you never mentioned it supposedly bypassing Android security, since this exploit also worked on WhatsApp for Android.

Why should I mention Android in my posts on an Apple site? Do you claim that posts are invalid unless they also mention Android?
And yes, it did bypass iOS security, unless your claiming it lacks any capability to block dangerous software installing itself through an app.

 

[realtuner]

Why should I mention Android in my posts on an Apple site? Do you claim that posts are invalid unless they also mention Android?
And yes, it did bypass iOS security, unless your claiming it lacks any capability to block dangerous software installing itself through an app.

Posts are invalid when they are full of lies and don't represent the entirety of the issue. As in your original post about bypassing iOS security, which is 100% false/a lie. They bypassed the security of WhatsApp, not iOS.

The second part of this post is just another one of your logical fallacies.

 

[apolloa]

Posts are invalid when they are full of lies and don't represent the entirety of the issue. As in your original post about bypassing iOS security, which is 100% false/a lie. They bypassed the security of WhatsApp, not iOS.

The second part of this post is just another one of your logical fallacies.

Ah I see, so according to you, no post is valid UNLESS it also discusses Android, gotya...
And all the counter argument you can come up with is simply accusing someone of lying, that’s it, no actual argument, not much point debating anything with you if that’s all you do

 

[realtuner]

Ah I see, so according to you, no post is valid UNLESS it also discusses Android, gotya...
And all the counter argument you can come up with is simply accusing someone of lying, that’s it, no actual argument, not much point debating anything with you if that’s all you do

Not what I said. So not only did you lie about iOS security, you’re now fabricating what I actually said. Is lying all you can do?

Where is the proof to support your comment “completely bypass any and all iOS security”? You have none because you can’t prove a lie as being true.

 

[apolloa]

Not what I said. So not only did you lie about iOS security, you’re now fabricating what I actually said. Is lying all you can do?

Where is the proof to support your comment “completely bypass any and all iOS security”? You have none because you can’t prove a lie as being true.

Pointless you posting really, it does bypass the security because you’ve done nothing to prove otherwise, just post the word lies.. can’t be bothered with you, you have no interest in highlighting why I am wrong, I have no interest in your posts. Have a nice day

 

[dysamoria]

Is anyone actually surprised by this news?

 

[I7guy]

not as bad as the FaceTime bug/exploit.

Just as bad. And it sounds like, Justin like the FaceTime bug, whether it was exploited successfully is unknown.

Waiting for suits to start.

 

[0388631]

iOS is as secure as Apple makes it. Once you introduce third-party apps into the mix, your data is at risk. Much like iOS, Android sandboxes apps and processes, too.

While I'm sure Apple makes a secure product, I caution on the side of "iOS is routinely cracked by intelligence outfits" and if you're doing anything fishy, just buy a burner phone.

Edit: Scratch that, I presume everything is easily accessible by government bodies and private bodies contracted by governments.

WhatsApp came from Israel, FYI.

No, it didn't. You're thinking of ICQ.

 

[haruhiko]

iOS is as secure as Apple makes it. Once you introduce third-party apps into the mix, your data is at risk. Much like iOS, Android sandboxes apps and processes, too.

While I'm sure Apple makes a secure product, I caution on the side of "iOS is routinely cracked by intelligence outfits" and if you're doing anything fishy, just buy a burner phone.

Edit: Scratch that, I presume everything is easily accessible by government bodies and private bodies contracted by governments.



No, it didn't. You're thinking of ICQ.

Okay it’s my mistake. Sorry. I can’t find evidence supporting my claim too.