In a significant development in the legal battle between Meta, the company behind WhatsApp, and NSO Group, a US court has ordered NSO Group to disclose the code for its spyware, Pegasus. The lawsuit, initiated by Meta in 2019, alleges that NSO Group exploited a vulnerability in WhatsApp to install the Pegasus spyware on specific user devices without their consent.
The court’s decision, delivered by Judge Hamilton, mandates NSO Group to reveal all relevant spyware code used in alleged attacks spanning from April 2018 to May 2020. This move is a significant breakthrough in the ongoing legal dispute, providing WhatsApp with crucial insights into the inner workings of Pegasus for defensive purposes.
Background of the Lawsuit
The lawsuit filed by WhatsApp against NSO Group has been gaining momentum. WhatsApp accuses NSO Group of targeting 1,400 users with the Pegasus malware. Recent court rulings have dismissed NSO Group’s attempts to evade responsibility, compelling the disclosure of pertinent documents and code.
The revelation of Pegasus’s technological capabilities through the disclosed code could serve as crucial evidence for those targeted by the spyware. Moreover, investigations in Spain and Poland are focusing on Pegasus’s alleged abuse against political leaders, shedding light on its technological exploitation.
Response and Implications
WhatsApp’s legal action against NSO Group stems from its claim that Pegasus spyware infected numerous devices, including those belonging to journalists, activists, and government officials, exploiting a WhatsApp vulnerability (CVE-2019-3568). By acquiring the NSO source code, WhatsApp aims to understand the vulnerability better and potentially develop a defense mechanism against such exploits.
The court’s dismissal of NSO’s sovereign immunity claims and the order to disclose attack-related code mark a significant victory for WhatsApp. However, despite penalties and government pressure, other companies in the spyware sector remain operational. NSO Group itself faces litigation related to its activities.
Although NSO Group asserts that Pegasus is intended solely for recognized nations, it has been widely used to target human rights advocates and journalists. Victims of Pegasus spyware face the challenge of identifying the entity behind its deployment before seeking compensation.
Judge Hamilton’s decision enables victims to take legal action by suing WhatsApp to uncover the identity of the malware’s deployer. This aligns with WhatsApp’s commitment to user safety and discouraging misuse of its platform. The ruling also sets a precedent, holding corporations accountable for facilitating spyware assaults.
The court’s order for NSO Group to hand over the Pegasus spyware code to WhatsApp marks a significant step forward in the legal battle against spyware exploitation. It underscores the importance of accountability in the technology sector and reaffirms the commitment to protecting user privacy and safety.
Legal Ramifications
- Precedent Setting: The court’s decision sets a precedent for holding technology companies accountable for the misuse of their products. This could lead to a wave of similar lawsuits against other entities engaged in similar activities, fostering greater accountability within the tech industry.
- Legal Defense Development: With access to the Pegasus code, WhatsApp can develop robust defenses against similar exploits in the future. This could potentially mitigate the impact of future cyberattacks not only on WhatsApp but also on other platforms facing similar vulnerabilities.
- Global Legal Landscape: The legal battle between WhatsApp and NSO Group may influence the development of cybersecurity laws and regulations globally. Governments may enact stricter regulations on surveillance technology companies, leading to increased transparency and oversight in the industry.
Technological Implications
- Enhanced Security Measures: Armed with insights into Pegasus’s inner workings, WhatsApp can bolster its security measures to prevent future breaches. This could involve patching existing vulnerabilities and implementing more robust encryption protocols to safeguard user data.
- Cybersecurity Arms Race: The disclosure of Pegasus code could spark a cybersecurity arms race, with companies and governments investing heavily in offensive and defensive cyber capabilities. This could lead to an escalation of cyber conflicts and a greater emphasis on cybersecurity as a national security priority.
- Innovation in Surveillance Technology: The exposure of Pegasus’s capabilities may drive innovation in surveillance technology, both in terms of offensive capabilities and defensive countermeasures. This could lead to the development of more sophisticated surveillance tools, as well as more effective methods of detecting and mitigating their use.
Geopolitical Considerations
- Diplomatic Fallout: The court’s decision may strain diplomatic relations between countries implicated in the use of Pegasus spyware and those affected by it. Countries accused of using such technology for nefarious purposes may face international condemnation and sanctions.
- Impact on National Security: The revelation of Pegasus code may have implications for national security, as governments reassess their reliance on surveillance technology for intelligence gathering. This could lead to changes in national security strategies and increased scrutiny of government surveillance programs.
- Shift in Power Dynamics: The disclosure of Pegasus code could alter the balance of power between governments, technology companies, and citizens. Governments may lose leverage over their citizens through covert surveillance, while technology companies may gain greater control over their products and data privacy.
The consequence of the court’s order for NSO Group to hand over the Pegasus spyware code to WhatsApp extends far beyond the immediate legal dispute. It has the potential to shape the future landscape of cybersecurity, technology regulation, and global geopolitics, with ramifications that could reverberate for years to come.
Pegasus Spyware Scandal Grips Europe: Alarming Incidents and Government Scrutiny
In a wave of unsettling revelations, Europe finds itself embroiled in a pervasive spyware scandal, with countries like Poland, Spain, Greece, Serbia, and Hungary at the forefront. The deployment of powerful surveillance tools, notably Pegasus, has raised grave concerns over democratic norms, privacy infringements, and abuse of power.
The recent exposure of espionage activities targeting opposition politicians and journalists has sent shockwaves across the continent. Disturbingly, the clandestine use of spyware has been employed to marginalize dissenting voices and stifle democratic processes. Such incidents have not only rattled public trust but have also ignited debates on the extent of government surveillance and the erosion of civil liberties.
One of the most alarming aspects of this scandal is the ease with which the spyware infiltrates unsuspecting victims’ phones. Contrary to conventional cyber-attacks that rely on phishing tactics, Pegasus can be installed without the need for the user to click on malicious links. Once infiltrated, the spyware grants remote access to the device, enabling comprehensive surveillance capabilities. From activating the camera and microphone to intercepting emails and text messages, the intrusive nature of Pegasus raises grave concerns about the privacy and security of individuals.
The scrutiny surrounding the spyware intensified following revelations about its manufacturer, NSO Group. The company, blacklisted by the U.S. government in 2021, has faced mounting criticism for its role in facilitating state-sponsored surveillance. While NSO has maintained that Pegasus is intended for counterterrorism efforts, its misuse in targeting journalists and political opponents has tarnished its reputation. This has prompted calls for stricter regulations and oversight to curb the abuse of surveillance technologies.
In response to these revelations, government officials across Europe have voiced alarm and called for urgent action. The presence of spyware on the phones of members and staff of Europe’s Parliament, just weeks ahead of crucial elections, has heightened concerns about electoral integrity and foreign interference. Such incidents underscore the need for robust cybersecurity measures and heightened awareness among policymakers and the public alike.
The scandal surrounding Pegasus and its ilk serves as a stark reminder of the growing threat posed by surveillance technologies to democratic institutions and fundamental rights. As governments grapple with the implications of unchecked surveillance, there is an urgent need for international cooperation and concerted efforts to safeguard privacy and uphold democratic principles.
As pressure mounts on NSO Group and governments implicated in these abuses, the coming months will be pivotal in determining the trajectory of surveillance regulation and the protection of individual liberties in Europe and beyond. In the face of mounting evidence of misuse and exploitation, the time for decisive action to hold perpetrators to account and protect democratic values is now.
Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp: A Deep Dive into Security Implications
The digital landscape is rife with vulnerabilities, constantly being exploited by entities with dubious intentions. A recent revelation by the Swedish telecom security firm Enea has once again brought to light the sophisticated means through which digital privacy can be compromised. At the heart of this concern is the Israeli spyware firm NSO Group, which is suspected of pioneering a novel cyber-attack method dubbed the “MMS Fingerprint” attack. This method, unlike traditional cyber-attack vectors, does not necessitate any form of user interaction, marking a significant evolution in the methodology of digital espionage.
Enea’s comprehensive report, shared on Thursday, 15, 2023, casts a spotlight on a previously undisclosed vulnerability within WhatsApp, a globally utilized messaging platform. This vulnerability, discovered in May 2019, facilitated the unauthorized installation of the infamous Pegasus spyware onto the devices of unsuspecting users. The subsequent exploitation of this flaw by the NSO Group was not indiscriminate; targeted were individuals occupying roles of global significance – journalists, human rights activists, lawyers, and government officials. The revelation of this targeted attack has led WhatsApp to pursue legal action against NSO Group, although attempts to seek redress through the US appeals court and Supreme Court have not been fruitful.
Recent revelations have shed light on the deployment of NSO Group’s spyware tactics, further fueling concerns over surveillance abuse. The discovery emerged from a contract between NSO’s reseller and Ghana’s telecom regulator, unveiled in lawsuit documents. This revelation underscores the urgent need for enhanced scrutiny and regulation of surveillance technologies to safeguard privacy and democratic norms.
You can download the Lawsuit documents here (PDF).
The modus operandi of the “MMS Fingerprint” attack involves the exploitation of the MMS UserAgent – a string that identifies the operating system and device model. This information can be leveraged by attackers to tailor their malicious payloads more effectively or to craft highly convincing phishing campaigns. The concern arises from the fact that the vulnerability lies not within the devices themselves but within the multi-stage MMS flow process, which includes a phase where the recipient’s device is notified of an awaiting MMS without requiring a data channel connection.
Enea’s investigation into this vulnerability involved a practical demonstration where sample SIM cards from a Western European operator were used to send MM1_notification.REQs. These requests successfully induced the target devices to access a URL controlled by the investigators, thereby revealing critical device information without the user’s knowledge or consent. This practical demonstration underscores the feasibility of such an attack in real-world scenarios and highlights the pressing need for mobile operators to reassess their security measures against such threats.
The insights from Javvad Malik, the lead security awareness advocate at KnowBe4, further emphasize the gravity of this situation. Malik warns of the unique danger posed by an attack mechanism that bypasses the need for user interaction – a departure from conventional cyber threats that often rely on tricking users into clicking malicious links. The specific targeting of individuals in sensitive roles by the NSO Group’s “MMS Fingerprint” attack is particularly alarming, as it underscores the potential for technology to be misused as a tool of surveillance and oppression.
The broader implications of incidents like the “MMS Fingerprint” attack are clear: in an age where digital communication platforms like WhatsApp are ubiquitous, the prioritization of security cannot be overstated. Platforms must not only address current vulnerabilities but also anticipate and mitigate future threats through the continuous evolution of their security architectures. Moreover, the incident serves as a reminder to users about the importance of exercising caution, such as disabling MMS auto-retrieval on their devices and being wary of unsolicited communications.
WhatsApp Vulnerability (CVE-2019-3568): Understanding the Exploit
Vulnerability Identification (CVE-2019-3568):
- CVE-2019-3568 is a specific vulnerability identified within WhatsApp, a popular messaging application owned by Meta.
- This vulnerability was discovered and assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2019-3568.
- It represents a flaw in WhatsApp’s security architecture that could potentially be exploited by malicious actors to execute unauthorized actions on users’ devices.
Nature of the Vulnerability:
- The vulnerability is categorized as a buffer overflow vulnerability, which occurs when an application attempts to write data beyond the bounds of allocated memory, leading to potential system crashes or unauthorized code execution.
- In the case of CVE-2019-3568, the vulnerability allows an attacker to remotely execute arbitrary code on a targeted device without the user’s knowledge or consent.
Exploitation Method:
- The exploit typically begins with the attacker sending a specially crafted message containing malicious code to the target’s WhatsApp account.
- Upon receiving the message, WhatsApp’s parsing mechanism fails to properly validate and sanitize the input, allowing the malicious code to trigger a buffer overflow condition.
- This overflow condition enables the attacker to overwrite adjacent memory regions, potentially gaining control over the device’s execution flow and executing arbitrary code.
Impact of the Vulnerability:
- The exploitation of CVE-2019-3568 grants the attacker significant control over the targeted device, potentially allowing them to steal sensitive information, install additional malware, or eavesdrop on communications.
- Given WhatsApp’s widespread use across various platforms and its integration with personal and professional communications, the impact of such a vulnerability can be far-reaching and severe.
Mitigation and Patching:
- Upon discovering the vulnerability, Meta, the parent company of WhatsApp, took immediate steps to address the issue and protect users from exploitation.
- WhatsApp released security patches and updates to remediate CVE-2019-3568, urging users to promptly update their applications to mitigate the risk of exploitation.
- Additionally, Meta collaborated with security researchers and industry experts to identify and address any additional vulnerabilities that could pose a threat to user security and privacy.
Importance of Timely Updates and Vigilance:
- The discovery and exploitation of CVE-2019-3568 underscore the importance of timely software updates and user vigilance in maintaining cybersecurity hygiene.
- Users are advised to regularly update their applications and operating systems to ensure they have the latest security patches installed, reducing the risk of falling victim to exploits like CVE-2019-3568.
In summary, CVE-2019-3568 represents a critical vulnerability within WhatsApp’s security infrastructure, which, if exploited, could grant attackers unauthorized access to users’ devices. Understanding the nature of this vulnerability and its exploitation is essential for implementing effective mitigation strategies and safeguarding user privacy and security.+
APPENDIX 1 – Unveiling the Intricacies of Pegasus Spyware: Insights from WhatsApp’s Lawsuit
In May 2019, WhatsApp, the encrypted messaging giant, made a startling discovery – a vulnerability in its system that paved the way for the installation of Pegasus spyware on users’ devices. This vulnerability, exploited through a WhatsApp voice call, allowed attackers to compromise devices stealthily, without the owner’s knowledge. The finger of blame pointed squarely at NSO Group, a controversial surveillance technology company.
The ramifications of this discovery were global, with victims spanning across various sectors including journalists, human rights activists, lawyers, and government officials. WhatsApp’s subsequent legal action against NSO Group in October 2019 marked a significant turn in the battle against surveillance abuse. Despite NSO Group’s attempts to halt the case, appeals were unsuccessful, culminating in rejections by both the US appeal court and the US Supreme Court.
While the core details of this case have been in the public domain for years, recent developments within the courtroom have brought forth intriguing revelations. As part of the evidence presented, WhatsApp/Facebook disclosed several exhibits in October 2019, shedding light on previously undisclosed aspects. Of particular interest was a contract between an NSO Group reseller and the telecom regulator of Ghana, where hidden within Exhibit A-1 lay a list of “Features and Capabilities” offered by NSO Group.
Among the listed features, one entry stood out – “MMS Fingerprint”. This term, unfamiliar to industry experts, sparked curiosity and raised questions about its implications. A search yields little beyond the court case itself, indicating the novelty of this feature. While skepticism remains regarding the veracity of NSO Group’s claims, the inclusion of “MMS Fingerprint” in a contractual agreement lends credence to its authenticity.
The revelation of such intricacies within the Pegasus spyware ecosystem underscores the ongoing battle between surveillance technology companies and privacy advocates. The existence of undisclosed features like “MMS Fingerprint” serves as a stark reminder of the clandestine capabilities wielded by such entities. As scrutiny intensifies and legal battles persist, the need for transparency, accountability, and regulation in the surveillance industry becomes increasingly apparent.
In the quest to safeguard individual privacy and democratic principles, the unveiling of hidden features within Pegasus spyware provides valuable insights for policymakers, technologists, and the general public alike. It serves as a call to action, urging stakeholders to remain vigilant and proactive in addressing the ever-evolving challenges posed by surveillance technologies.
Deciphering the Mechanics of an MMS Fingerprint Attack
Delving deeper into the enigmatic realm of surveillance tactics, the concept of an MMS Fingerprint attack presents a perplexing puzzle. With scant technical details provided, deciphering its modus operandi poses a formidable challenge. However, by scrutinizing the available information and examining the intricacies of the MMS flow, we can begin to unravel its potential mechanisms.
The purported function of an MMS Fingerprint attack is to unveil the target device and its operating system (OS) version through the simple act of sending an MMS to the device. Crucially, this process requires no user interaction, engagement, or message opening, indicating a stealthy means of data extraction.
One notable observation is the inclusion of various OS platforms such as Blackberry, Android, and iOS, suggesting a platform-agnostic approach. This diminishes the likelihood of an OS-specific exploit and directs attention towards vulnerabilities within the MMS framework itself.
To comprehend the intricacies of the MMS Fingerprint attack, it is imperative to dissect the MMS flow. Contrary to its name, the attack may not be directly associated with the MMS protocol but rather exploits vulnerabilities within related processes. The MMS flow, characterized by its complexity and occasional deviation from conventional MMS usage, presents a fertile ground for such clandestine maneuvers.
In this context, it is conceivable that the attack leverages loopholes or weaknesses in auxiliary components of the MMS infrastructure to clandestinely extract device information. This could involve subverting communication channels or exploiting flaws in handling MMS-related data to bypass conventional security measures.
Furthermore, the ambiguity surrounding the utilization of MMS in the attack suggests a nuanced understanding of network protocols and communication pathways. It is plausible that the attack operates at a deeper level within the network stack, evading detection and interception by conventional security measures.
Ultimately, the elusive nature of the MMS Fingerprint attack underscores the inherent challenges in combating sophisticated surveillance tactics. As surveillance technology continues to evolve, it becomes imperative for security experts and policymakers to remain vigilant and proactive in addressing emerging threats to digital privacy and security.
In unraveling the mechanics of such clandestine maneuvers, we gain valuable insights into the intricacies of modern-day surveillance and the urgent need for robust defense mechanisms. Only through concerted efforts to understand, mitigate, and regulate surveillance technologies can we safeguard individual privacy and preserve the integrity of democratic principles in the digital ag
The Intricacies of MMS: Decoding the Complexities of Multimedia Messaging
Multimedia Messaging Service (MMS) stands as a cornerstone of modern communication, facilitating the exchange of multimedia content across mobile networks. Yet, beneath its seemingly straightforward facade lies a labyrinth of complexities and intricacies, often obscured from the casual observer. To shed light on the multifaceted nature of MMS, let us navigate through the various stages of an end-to-end MMS transfer.
- Content Creation: The MMS journey commences with the creation of multimedia content by the sender. This can range from images and videos to audio recordings and text messages. Once composed, the content is encoded into a format compatible with MMS standards.
- Submission to MMSC (Multimedia Messaging Service Center): Upon creation, the multimedia content is submitted to the sender’s mobile device’s MMSC. The MMSC serves as the central hub for processing and routing MMS messages within the mobile network.
- Routing and Address Resolution: The MMSC initiates the process of routing the MMS message to the recipient’s device. This involves resolving the recipient’s address and determining the optimal path for message delivery across the network.
- Transmission to Recipient’s MMSC: Once the recipient’s address is resolved, the MMS message is transmitted from the sender’s MMSC to the recipient’s MMSC. This inter-MSC communication ensures seamless delivery across different network domains.
- Delivery to Recipient’s Device: Upon arrival at the recipient’s MMSC, the MMS message is queued for delivery to the recipient’s device. Depending on network conditions and recipient availability, the message may be delivered immediately or held for later retrieval.
- Recipient Acknowledgment: Once the MMS message reaches the recipient’s device, an acknowledgment is sent back to the sender’s MMSC, confirming successful delivery. This ensures accountability and provides feedback on the status of the message transmission.
- Content Retrieval and Display: Finally, the recipient accesses the multimedia content embedded within the MMS message. This may involve retrieving the content from the MMSC or directly from the message payload. The content is then displayed or played back on the recipient’s device, completing the MMS exchange.
While the above stages outline a typical end-to-end MMS transfer, it is essential to recognize that the MMS flow can deviate from conventional norms. In some instances, what appears to be an MMS message may not adhere strictly to MMS protocols. Factors such as network configurations, device compatibility, and messaging applications can introduce variations in the MMS flow, blurring the distinction between traditional MMS exchanges and alternative communication mechanisms.
1. Initially the MMS message is submitted by the sender mobile device in a MM1_submit.REQ to the sender’s MMSC
2. This then is forwarded by the sender’s MMSC to the recipient’s MMSC over the MM4 interface, using a MM4_forward.REQ. As a side note, this is different from how SMS works where the Sender’s SMSC is responsible for both submission and delivery, so straight away things are more complex
3. The recipient’s MMSC then notifies the recipient device that a MMS is waiting for it via a MM1_notification.REQ
4. The recipient then retrieves the waiting MMS from its MMSC via a MM1_retrieve.REQ & MM1_retrieve.RES
5. The later stages then involve a delivery report being sent to the sender MMSC/sender device once the MMS has been retrieved,
6. Finally, an (optional) read report is sent to the sender MMSC/sender device once the MMS has been read.
Unraveling the Complexity of MMS: The Intricacies of Notification and Retrieval
As we delve deeper into the inner workings of Multimedia Messaging Service (MMS), we encounter a realm of complexities that defy conventional understanding. One such intricacy lies in the mechanisms employed to notify recipients of pending MMS messages and retrieve their content, revealing a fascinating interplay between technical innovation and practical necessity.
When MMS standards were initially devised, designers faced the challenge of notifying recipients about pending messages without assuming universal MMS compatibility among devices. Moreover, they sought to minimize unnecessary data channel connections on recipient devices. The ingenious solution came in the form of MM1_notification.REQ, a special type of Short Message Service (SMS) known as a binary SMS (WSP Push).
MM1_notification.REQ serves as a discreet yet effective means of notifying recipient devices of pending MMS messages. By leveraging the ubiquity of SMS support across mobile devices, this mechanism ensures widespread compatibility while minimizing data channel usage. Notably, recipient devices are paged over SMS, only connecting to the data channel upon successful notification.
However, the journey doesn’t end with notification. Subsequent to MM1_notification.REQ, the process of retrieving MMS content unfolds through MM1_retrieve.REQ. Contrary to conventional MMS messages, MM1_retrieve.REQ takes the form of a Hypertext Transfer Protocol (HTTP) GET request to the URL specified in the X-MMS-Content-Location field of the preceding notification.
Herein lies a pivotal juncture where targeted device information may be inadvertently disclosed. As recipient devices initiate HTTP GET requests to retrieve MMS content from the Multimedia Messaging Service Center (MMSC), user device information is embedded within the request. This critical exchange serves as a potential point of vulnerability, where the clandestine extraction of device information, colloquially termed the “MMS Fingerprint,” may occur.
The inclusion of user device information within HTTP GET requests underscores the intricate nature of MMS retrieval mechanisms. While designed to facilitate seamless content delivery, this process inadvertently exposes recipients to potential privacy risks, highlighting the delicate balance between convenience and security in modern communication protocols.
As we navigate the complexities of MMS notification and retrieval, it becomes imperative to scrutinize the underlying mechanisms and safeguard against potential vulnerabilities. By fostering a deeper understanding of these intricacies, we empower individuals and organizations to navigate the evolving landscape of digital communication with vigilance and resilience.
In the ongoing pursuit of privacy and security, unraveling the complexities of MMS serves as a vital step towards fortifying our digital infrastructure and preserving the integrity of personal data in an increasingly interconnected world.
Unveiling the Significance of MMS Fingerprinting: Understanding the Implications
In the pursuit of uncovering the intricacies of the MMS Fingerprint attack, researchers embarked on a journey of experimentation and analysis, ultimately shedding light on its potential ramifications. Through a series of tests utilizing sample SIM cards from a Western European operator, researchers successfully executed MM1_notification.REQs (binary SMSs), directing recipients to a controlled web server. The subsequent HTTP GET requests triggered by the reception of these notifications exposed crucial device information, including the UserAgent and x-wap-profile fields.
The significance of this revelation lies in the exploitation of device-specific identifiers embedded within MMS transmissions. The UserAgent, a string that typically delineates the operating system and device, offers valuable insights into the recipient’s device characteristics. Likewise, the x-wap-profile field points to a UAProf (User Agent Profile) file detailing the device’s capabilities.
While seemingly innocuous, this information holds immense value for malicious actors seeking to exploit vulnerabilities or tailor attacks to specific device types. By leveraging knowledge of the recipient’s device characteristics, attackers can craft targeted exploits, such as the notorious Pegasus exploit, with heightened precision. Furthermore, this data can facilitate the orchestration of sophisticated phishing campaigns, maximizing the effectiveness of social engineering tactics.
The prevalence of surveillance companies’ interest in obtaining device information underscores the utility of such data in malicious endeavors. Past observations have revealed a predilection among attackers for acquiring device identifiers like the IMEI, alongside location information. However, the UserAgent gleaned from MMS transmissions presents a more dynamic and actionable source of intelligence, reflecting the software environment and installed applications on the device.
It is essential to distinguish the MMS UserAgent from its browser counterpart, as they serve distinct purposes and offer unique insights into device characteristics. While both strings identify devices accessing online content, the MMS UserAgent delves deeper into the software ecosystem of the device, presenting a nuanced perspective for exploitation.
As we confront the implications of MMS Fingerprinting, it becomes imperative to prioritize privacy and security measures to mitigate potential risks. By raising awareness of the underlying vulnerabilities and the value of device-specific information, we empower individuals and organizations to bolster their defenses against evolving threats in the digital landscape.
In the relentless pursuit of innovation and connectivity, let us not overlook the inherent risks posed by exploitative practices. Through vigilance, education, and proactive measures, we can navigate the complexities of modern communication while safeguarding the integrity of personal data and preserving the principles of privacy and security.
Figure : Initial Attack MM1_ notifications.ind(MM1_notification.REQ) sent to target
Figure : Subsequent MM1_retrieve.REQ(HTTP GET) received from targeted handset. Target device information in yellow
Mitigating MMS Fingerprint Attacks: Strengthening Defenses at Device and Network Levels
As the specter of MMS Fingerprint attacks looms large, the imperative to fortify defenses against such exploits becomes paramount. While blocking MM1_notification.REQ attacks may not pose insurmountable challenges, a multi-pronged approach is necessary to mitigate risks effectively.
At the device level, mobile subscribers wield a degree of control over their vulnerability to MMS Fingerprint attacks. One potential safeguard involves disabling MMS auto-retrieval on handsets, thereby preventing automatic device connections triggered by malicious notifications. Although this tactic offers a measure of protection, its efficacy may vary depending on device configurations and user accessibility. Nevertheless, empowering subscribers with the knowledge and means to enact this safeguard serves as an initial line of defense against intrusive exploits.
However, the onus of defense primarily falls upon mobile network operators. While many operators filter outgoing Binary SMS/MM1_notification messages, inbound message handling remains a potential vulnerability. Historically, some intercarrier MMS handling systems routed messages via MM1 notifications, bypassing traditional filtering mechanisms. As such, operators must conduct thorough assessments before implementing comprehensive blocking measures. Guidance from industry bodies, such as the GSMA’s FS.42 document, offers invaluable recommendations for enhancing messaging security and thwarting Binary SMS attacks.
Beyond preemptive blocking, operators can adopt reactive measures to impede malicious MMS Fingerprint attacks. Restricting internet access via MMS ports from handsets presents a proactive strategy to neutralize potential threats. By curtailing connectivity to attacker-controlled IP addresses, operators can effectively nullify the impact of intercepted MMS notifications, bolstering network resilience against exploitation.
Moreover, considerations extend to outbound roaming subscribers, necessitating comprehensive solutions that encompass diverse network environments and user behaviors. Robust messaging security solutions should seamlessly integrate inbound message blocking while accommodating the dynamic nature of mobile communications.
In navigating the evolving landscape of mobile security, collaboration and knowledge-sharing among industry stakeholders emerge as linchpins of effective defense strategies. By harnessing collective expertise and leveraging best practices, mobile operators can fortify their networks against emerging threats and safeguard subscriber privacy and security.
As we confront the challenges posed by MMS Fingerprint attacks, proactive measures and continuous vigilance remain indispensable in preserving the integrity of mobile communications infrastructure. Through concerted efforts and strategic interventions, we can uphold the trust and confidence of mobile subscribers while mitigating the risks of exploitation in an ever-evolving digital ecosystem.
APPENDIX 2 – WhatsApp Security Advisories
CVE | Published | Last Update | Max CVSS Base Score | EPSS Score | CISA KEV Added | Public Exploit Exists | Summary |
CVE-2023-38538 | 04/10/2023 | 10/10/2023 | 5.0 | 0.05% | A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability. | ||
CVE-2023-38537 | 04/10/2023 | 10/10/2023 | 5.6 | 0.05% | A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability. | ||
CVE-2022-36934 | 22/09/2022 | 24/09/2022 | 9.8 | 0.39% | An integer overflow in WhatsApp could result in remote code execution in an established video call. | ||
CVE-2022-27492 | 23/09/2022 | 23/09/2022 | 7.8 | 0.09% | An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. | ||
CVE-2021-24043 | 02/02/2022 | 07/02/2022 | 9.1 | 0.14% | A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call. | ||
CVE-2021-24042 | 04/01/2022 | 14/01/2022 | 9.8 | 0.10% | The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor. | ||
CVE-2021-24041 | 07/12/2021 | 08/12/2021 | 9.8 | 0.20% | A missing bounds check in image blurring code prior to WhatsApp for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 could have allowed an out-of-bounds write if a user sent a malicious image. | ||
CVE-2021-24035 | 11/06/2021 | 21/06/2021 | 9.1 | 0.10% | A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite WhatsApp files. | ||
CVE-2021-24027 | 06/04/2021 | 30/08/2022 | 7.5 | 0.17% | A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read cached TLS material. | ||
CVE-2021-24026 | 06/04/2021 | 15/04/2021 | 10.0 | 0.22% | A missing bounds check within the audio decoding pipeline for WhatsApp calls in WhatsApp for Android prior to v2.21.3, WhatsApp Business for Android prior to v2.21.3, WhatsApp for iOS prior to v2.21.32, and WhatsApp Business for iOS prior to v2.21.32 could have allowed an out-of-bounds write. | ||
CVE-2020-20096 | 23/03/2022 | 30/03/2022 | 6.5 | 0.17% | Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | ||
CVE-2020-1910 | 02/02/2021 | 08/02/2021 | 7.8 | 0.06% | A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image. | ||
CVE-2020-1909 | 03/11/2020 | 06/11/2020 | 9.8 | 0.31% | A use-after-free in a logging library in WhatsApp for iOS prior to v2.20.111 and WhatsApp Business for iOS prior to v2.20.111 could have resulted in memory corruption, crashes and potentially code execution. This could have happened only if several events occurred together in sequence, including receiving an animated sticker while placing a WhatsApp video call on hold. | ||
CVE-2020-1908 | 03/11/2020 | 13/11/2020 | 4.6 | 0.06% | Improper authorization of the Screen Lock feature in WhatsApp and WhatsApp Business for iOS prior to v2.20.100 could have permitted use of Siri to interact with the WhatsApp application even after the phone was locked. | ||
CVE-2020-1907 | 06/10/2020 | 15/10/2020 | 9.8 | 0.54% | A stack overflow in WhatsApp for Android prior to v2.20.196.16, WhatsApp Business for Android prior to v2.20.196.12, WhatsApp for iOS prior to v2.20.90, WhatsApp Business for iOS prior to v2.20.90, and WhatsApp for Portal prior to v173.0.0.29.505 could have allowed arbitrary code execution when parsing the contents of an RTP Extension header. | ||
CVE-2020-1906 | 06/10/2020 | 13/10/2020 | 7.8 | 0.04% | A buffer overflow in WhatsApp for Android prior to v2.20.130 and WhatsApp Business for Android prior to v2.20.46 could have allowed an out-of-bounds write when processing malformed local videos with E-AC-3 audio streams. | ||
CVE-2020-1905 | 06/10/2020 | 13/10/2020 | 4.3 | 0.06% | Media ContentProvider URIs used for opening attachments in other apps were generated sequentially prior to WhatsApp for Android v2.20.185, which could have allowed a malicious third party app chosen to open the file to guess the URIs for previously opened attachments until the opener app is terminated. | ||
CVE-2020-1904 | 06/10/2020 | 05/02/2022 | 5.5 | 0.05% | A path validation issue in WhatsApp for iOS prior to v2.20.61 and WhatsApp Business for iOS prior to v2.20.61 could have allowed for directory traversal overwriting files when sending specially crafted docx, xlsx, and pptx files as attachments to messages. | ||
CVE-2020-1903 | 06/10/2020 | 19/10/2020 | 5.5 | 0.06% | An issue when unzipping docx, pptx, and xlsx documents in WhatsApp for iOS prior to v2.20.61 and WhatsApp Business for iOS prior to v2.20.61 could have resulted in an out-of-memory denial of service. This issue would have required the receiver to explicitly open the attachment if it was received from a number not in the receiver’s WhatsApp contacts. | ||
CVE-2020-1902 | 06/10/2020 | 14/09/2021 | 7.5 | 0.17% | A user running a quick search on a highly forwarded message on WhatsApp for Android from v2.20.108 to v2.20.140 or WhatsApp Business for Android from v2.20.35 to v2.20.49 could have been sent to the Google service over plain HTTP. | ||
CVE-2020-1901 | 06/10/2020 | 15/10/2020 | 5.3 | 0.09% | Receiving a large text message containing URLs in WhatsApp for iOS prior to v2.20.91.4 could have caused the application to freeze while processing the message. | ||
CVE-2020-1894 | 03/09/2020 | 11/09/2020 | 8.8 | 0.26% | A stack write overflow in WhatsApp for Android prior to v2.20.35, WhatsApp Business for Android prior to v2.20.20, WhatsApp for iPhone prior to v2.20.30, and WhatsApp Business for iPhone prior to v2.20.30 could have allowed arbitrary code execution when playing a specially crafted push to talk message. | ||
CVE-2020-1891 | 03/09/2020 | 11/09/2020 | 9.8 | 0.22% | A user controlled parameter used in video call in WhatsApp for Android prior to v2.20.17, WhatsApp Business for Android prior to v2.20.7, WhatsApp for iPhone prior to v2.20.20, and WhatsApp Business for iPhone prior to v2.20.20 could have allowed an out-of-bounds write on 32-bit devices. | ||
CVE-2020-1890 | 03/09/2020 | 11/09/2020 | 7.5 | 0.08% | A URL validation issue in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have caused the recipient of a sticker message containing deliberately malformed data to load an image from a sender-controlled URL without user interaction. | ||
CVE-2020-1886 | 03/09/2020 | 11/09/2020 | 8.8 | 0.22% | A buffer overflow in WhatsApp for Android prior to v2.20.11 and WhatsApp Business for Android prior to v2.20.2 could have allowed an out-of-bounds write via a specially crafted video stream after receiving and answering a malicious video call. | ||
CVE-2019-18426 | 21/01/2020 | 31/01/2023 | 8.2 | 0.94% | 23/05/2022 | A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message. | |
CVE-2019-11933 | 23/10/2019 | 14/09/2021 | 9.8 | 1.04% | A heap buffer overflow bug in libpl_droidsonroids_gif before 1.2.19, as used in WhatsApp for Android before version 2.19.291 could allow remote attackers to execute arbitrary code or cause a denial of service. | ||
CVE-2019-11932 | 03/10/2019 | 01/03/2023 | 8.8 | 3.75% | A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image. | ||
CVE-2019-11931 | 14/11/2019 | 19/11/2019 | 7.8 | 0.08% | A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100. | ||
CVE-2019-11927 | 27/09/2019 | 08/10/2020 | 7.8 | 0.26% | An integer overflow in WhatsApp media parsing libraries allows a remote attacker to perform an out-of-bounds write on the heap via specially-crafted EXIF tags in WEBP images. This issue affects WhatsApp for Android before version 2.19.143 and WhatsApp for iOS before version 2.19.100. | ||
CVE-2019-3571 | 16/07/2019 | 09/10/2019 | 5.3 | 0.08% | An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension. | ||
CVE-2019-3568 | 14/05/2019 | 13/08/2019 | 9.8 | 2.52% | 19/04/2022 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. | |
CVE-2019-3566 | 10/05/2019 | 14/09/2021 | 5.9 | 0.12% | A bug in WhatsApp for Android’s messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user’s account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 – 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38. | ||
CVE-2018-20655 | 14/06/2019 | 18/09/2020 | 9.8 | 0.44% | When receiving calls using WhatsApp for iOS, a missing size check when parsing a sender-provided packet allowed for a stack-based overflow. This issue affects WhatsApp for iOS prior to v2.18.90.24 and WhatsApp Business for iOS prior to v2.18.90.24. | ||
CVE-2018-6350 | 14/06/2019 | 18/06/2019 | 9.8 | 0.24% | An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android prior to 2.18.276, WhatsApp Business for Android prior to 2.18.99, WhatsApp for iOS prior to 2.18.100.6, WhatsApp Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224. | ||
CVE-2018-6349 | 14/06/2019 | 21/09/2020 | 9.8 | 0.44% | When receiving calls using WhatsApp for Android, a missing size check when parsing a sender-provided packet allowed for a stack-based overflow. This issue affects WhatsApp for Android prior to 2.18.248 and WhatsApp Business for Android prior to 2.18.132. | ||
CVE-2018-6344 | 31/12/2018 | 18/09/2020 | 7.5 | 0.22% | A heap corruption in WhatsApp can be caused by a malformed RTP packet being sent after a call is established. The vulnerability can be used to cause denial of service. It affects WhatsApp for Android prior to v2.18.293, WhatsApp for iOS prior to v2.18.93, and WhatsApp for Windows Phone prior to v2.18.172. | ||
CVE-2018-6339 | 14/06/2019 | 09/10/2019 | 9.8 | 0.19% | When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150. | ||
CVE-2017-8769 | 18/05/2017 | 04/10/2019 | 4.6 | 0.07% | ** DISPUTED ** Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat deletion, or who expect encryption (consistent with the application’s use of an encrypted database to store chat text). NOTE: the vendor reportedly indicates that they do not “consider these to be security issues” because a user may legitimately want to preserve any file for use “in other apps like the Google Photos gallery” regardless of whether its associated chat is deleted. |
reference : https://www.enea.com/insights/dusting-off-old-fingerprints-nso-groups-unknown-mms-hack/
Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved