WhatsApp disclosed yesterday afternoon (WhatsApp security advisory CVE-2019-3568) a buffer overflow vulnerability in the application's voice-call feature that, on the disclosed analysis, was being actively exploited to install NSO Group's Pegasus mobile-implant on victims' devices via a specially crafted SRTP packet sent during a voice-call setup. The exploitation did not require the victim to answer the call; the call needed only to ring on the victim's phone. The Citizen Lab at the University of Toronto has corroborated the disclosure with specific case-study material — the human-rights lawyer Yousef al-Jamri, the Amnesty International researcher Danna Ingleton, and several other identifiable target categories (Citizen Lab WhatsApp/NSO post, May 13).
The technical content is operationally sophisticated and politically specific. The exploit is a buffer overflow in the WhatsApp client's parsing of incoming SRTP packets during call setup; the overflow allows controlled writes to memory adjacent to the parsing buffer; from there, with memory-layout assumptions specific to the target operating system version, code execution is achievable in the WhatsApp process. The implant — Pegasus, NSO Group's commercial mobile-surveillance product — provides comprehensive access to the device including microphone activation, camera activation, message and call interception, location tracking, and access to the phone's stored data. The implant is, on the public reporting, sold to government customers under various contractual restrictions that the public reporting has substantial reason to doubt are operationally enforced.
The commercial-offensive-market question is the structural concern. NSO Group is the most prominent of a category of companies — Hacking Team (until 2015's leak), Gamma International / FinFisher, Cellebrite for forensic-extraction-style tooling, and several smaller entrants — whose business model is the development and sale of offensive cyber capability to government customers. The market has been documented for years; the WhatsApp case is the operational demonstration that the market's products are being deployed against widely-used consumer infrastructure with sustained effectiveness. The implication for the customer-organisation threat model is that any consumer messaging or communication platform is, in 2019, in the targeting scope of state-grade adversaries with commercial-grade offensive capability.
For the customer briefings, the WhatsApp case has produced two specific conversations. First, the executive-protection question — high-profile customer-organisation executives whose communications include politically or commercially sensitive content are, on the case-study evidence, in the targeting population. The defensive measures available are limited: keep the messaging app patched, prefer hardware-token-based MFA where authentication is required, segregate executive communications onto dedicated devices that are not the executives' personal phones, and accept that no consumer-grade messaging platform offers comprehensive protection against this threat model. The second conversation is about the broader trust model for consumer-grade communication tools in business contexts — the line between "this is good enough for ordinary business" and "this requires platform-level defensive posture" is a customer-organisation policy decision that the WhatsApp case should be sharpening.
For the wider strategic point, the post-Hacking-Team market visibility from 2015 has been, four years on, supplemented by the post-WhatsApp / post-Citizen-Lab visibility into how the market's products are operationally deployed. The pattern is that the commercial offensive market continues to develop, that the political restrictions on its sale and use are limited and not consistently enforced, and that the targets include not only national-security adversaries but also journalists, human-rights advocates, and political opposition figures in the customer-government's domestic context. The ethical and policy questions about the market are the subject of substantial international discussion (the UN Special Rapporteur reports on surveillance, the various human-rights NGO reporting, the litigation NSO Group is now facing from WhatsApp itself in the US courts) and the conversation is going to develop substantially over the next several years.
I will return to this. The longer-form essay file gains another entry.