Check Point security recently discovered a vulnerability in the WhatsApp Web application that allows hackers to take control of a users computer by sending them a file that looks like a vCard.
Check Point security researchers have recently discovered various vulnerabilities in the WhatsApp Web application. Hackers would exploit a user’s computer by sending them a vCard, but the vCard is actually an executable file and opens up a PC to malware and phishing attacks.
WhatsApp Web – a web-based extension of the WhatsApp application on a phone mirrors all messages sent and received, and fully synchronizes your phone and your desktop computer so that users can see all messages on both devices.
WhatsApp Web is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and Nokia smartphones. In September 2015, WhatsApp announced they had reached 900 million active users a month. At least 200M are estimated to use the WhatsApp Web interface, considering publicly available web traffic statistics.
Check Point security researcher Kasif Dekel recently discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way. All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code. Once opened, the alleged contact is revealed to be an executable file, further compromising computers by distributing bots, ransomware, RATs, and other malwares.
To target an individual, all an attacker needs is the phone number associated with the account.
WhatsApp verified and acknowledged the security issue and have deployed the fix in web clients world-wide. To make sure you are protected, update your WhatsApp Web right now.
Check Point shared its discovery to WhatsApp on August 21, 2015. On August 27, WhatsApp rolled out the initial fix (in all versions greater than 0.1.4481) and blocked that particular feature.
WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.
The vulnerability lies in improper filtering of contact cards, sent utilising the popular ‘vCard’ format.
This is a screenshot for a possible contact vCard sent by a malicious user:
As you can see, this message (contact card) appears legitimate, like any other contact card; most users would click it immediately without giving it a second thought.
The implication of this innocent action is downloading a file which can run arbitrary code on the victim’s machine:
An Initial Hole
During Kasif’s research, he found that by manually intercepting and crafting XMPP requests to the WhatsApp servers, it was possible to control the file extension of the contact card file.
He first changed the file extension to .BAT, which indicates a Windows batch (executable script) file:
This means, once the victim clicks the downloaded file (which he assumes is a contact card), the code inside the batch file runs on his computer.
Let’s see what’s inside the downloaded file (i.e. the batch file):
This is a standard vCard format. To run malicious code, Kasif found out an attacker could simply inject a command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, Windows will attempt to run all lines in the files, including our controlled injection line.
Further research showed that no XMPP interception of crafting is needed for this attack, since any user can create such a contact with an injected payload on their phones, no hacking tools necessary:
Once such a contact is created, all an attacker has to do is share it via the normal WhatsApp client.
But can we take it to the next level? Could we possibly discover a way to share malicious PE (.exe) files through WhatsApp’s default sharing features (no external links)?
To answer that, we have to examine WhatsApp’s communication protocols; WhatsApp uses a customised version of the open standard Extensible Messaging and Presence Protocol (XMPP).
This is how vCard messages appear over-the-wire (with some reconstruction) when sent using WhatsApp’s protocol:
NUMBER/GROUPID: the victim’s number or group ID
· ID: the message ID
· TIMESTAMP: the timestamp of the sender device
· FILENAME: the VCARD file name, <something>.exe
· FILEDATA: the raw data of the file
We were surprised to find that WhatsApp fails to perform any validation on the vCard format or the contents of the file, and indeed when we crafted an exe file into this request, the WhatsApp web client happily let us download the PE file in all its glory:
But wait, there’s more! Clever attackers can exploit this in more devious scenarios, using the displayed icon to enrich the scam:
This simple trick opened up a vast world of opportunity for cybercriminals and scammers, in effect allowing easy “WhatsApp Phishing”. Massive exploitation of this vulnerability could have affected millions of users, failing to realise the malicious nature of the attachment.
· August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
· August 23, 2015 – First response received.
· August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
· September 8, 2015 – Public disclosure
“Thankfully, WhatsApp responded quickly and responsibly to deploy an initial mitigation against exploitation of this issue in all web clients, pending an update of the WhatsApp client” said Oded Vanunu, Security Research Group Manager at Check Point. We applaud WhatsApp for such proper responses, and wish more vendors would handle security issues in this professional manner. Software vendors and service providers should be secured and act in accordance with security best practices.
Check Point continues to be on the lookout for vulnerabilities in common software and Internet platforms, disclosing issues as they are discovered, protecting consumers and customers against tomorrow’s threats.”
Security gets an upgrade – with a few glitches
Video doorbells are all the rage in the USA. Can they work in South Africa? SEAN BACHER tries out the Ring Video DoorBell 2 and Floodlight Cam.
IP cameras have become synonymous with both business and home security. They are readily available, fairly inexpensive and, in many cases, easy to install.
Many are wireless, allowing one to place the camera anywhere within Wi-Fi range. As a result, they are a solution that can be customised to suit any type of security situation.
A world leader in doorbell security, Amazon subsidiary Ring, has recently extended its range of security devices, which now includes doorbells, floodlights, and Wi-Fi extenders, all designed to enhance and complement existing security beams and electric fences.
First up is the Ring Video DoorBell 2
It doesn’t look much like your normal intercom system, except for the miniature eye that keeps track of mischief that may be happening.
Setting up is fairly easy. All one needs to do is connect it to the network by pushing the connect button, create an account on the downloaded smartphone app and get started with customisation and certification. Features like sensitivity, alerts, and numbers where these alerts need to be sent can all be preprogrammed. It is then just a matter of positioning the doorbell to get the best video coverage.
Getting the correct position may take some time, though, as cars and pedestrians may set it off.
Next up is the Floodlight Cam
This works much the same as the doorbell. However, it needs to be mounted to a wall. Ring has you covered there: in the box you will find drill bits, screws and even a screwdriver to help you secure the camera.
You will have to set alerts, phone numbers, and sensitivity. The spotlight allows you to change what time it should light up and shut down, and the package also includes an alarm, should its beams be broken.
Although this all sounds good, there are a few drawbacks to the Ring solutions. Firstly, unlike the United States, where doorbells are stuck in the vicinity of a front door, allowing them to connect to a network easily, many houses in South Africa have gates that need to be opened before one can reach the front door. This means that the bells are on or near the gate, and they are unable to connect to a home or business network.
Now, however, Ring has launched a Wi-Fi extender, but this requires an additional set-up process – and a fairly expensive one, considering the camera cost.
The Ring devices come with Protection Plans that automatically upload any triggered recordings to the cloud, allowing you to view them at a later stage. This trial period only lasts for 30 days, after which the plans can be extended from R450 for a three month period, up to R1 500 for a twelve-month period.
The attention to detail in the packaging and the addition of the tools really does put the Ring in a class of its own. No short cuts were taken in its design, and you can immediately see that it’s no rip-off. However, the Protection Plans need to be looked at carefully in terms of their costs.
Aside from this challenge, I found the devices very handy inside my house. For instance, a few times my external alarm or fence would sound, at which stage I would get a notification from my armed response – while I was away. But I easily logged in to Ring from my phone to check if anything strange was happening – all in a matter of seconds and while I was sitting all the way in Berlin.
The devices are rather expensive, though, with the Video Door Bell starting at R3 500 and going up to R7 990, and the Floodlight Cam going for R5 000. It all adds up quickly.
The cost means these solutions may not be quite ready for the South African consumer looking for a complete external perimeter security system.
Despite the Protection Plans, I did find them very handy inside my house. For instance, a few times my external alarm or fence would sound, at which stage I would get a notification from my armed response.
But, I easily logged in to Ring from my phone to check if anything strange was happening – all in a matter of seconds and while I was sitting all the way in Berlin.
It’s not a ‘techlash’ – it’s a ‘tech clash’
By RORY MOORE, Innovation Lead, Accenture South Africa
People’s love for technology has let businesses weave it, and themselves, into our lives, transforming how we work live and interact in this new world which we at Accenture are referring to – in our Tech Vision 2020 – as the “post-digital era.” But now we are being held back.
At a time when people see the potential of embracing technology more deeply into their lives, systems and services built for a old era are not supporting where people want to go. The next five years will see radical transformation as technology is realigned to better reflect people’s needs and values.
We look at the latest emerging trends that will transform how we live in work in this fundamentally different post-digital world.
Tech trend 1: “The I in experience” – helping people choose their own adventure
The next generation of technology-driven experiences will be those that make the user an active participant in creating the experience. Businesses are increasingly looking to personalise and individualise experiences to a greater degree than ever before, but are faced with stricter data regulations and users that are wary of services being too invasive. To address this, leading businesses are changing the paradigm and making choice and agency a central component of what they deliver.
Tech trend 2: “Artificial intelligence (AI) and me” – reimagining business through human and AI collaboration
Businesses will have to tap the full potential of AI by making it an additive contributor to work, rather than a backstop for automating boring or repetitive tasks. Until now, enterprises have been using AI to automate parts of their workflows, but as AI capabilities grow, following the old path will limit the full benefit of AI investments, potentially marginalise people, and cap businesses’ ability for growth. Businesses must rethink the work they do to make AI a generative part of the process. To do so, they will have to build new capabilities that improve the contextual comprehension between people and machines.
Tech trend 3: “The dilemma of smart things” – overcoming the “beta burden”
As enterprises convert their products into platforms for digital experiences, new challenges arise that, if left unaddressed, will alienate customers and erode their trust. Now that the true value of a product is being driven by the experience, a facet of the product that enterprises have traditionally retained strict control over, businesses must re-evaluate central questions: how involved they are with the product lifecycle, how to maintain transparency and continuity over product features, when is a product truly “finished”, and even who owns it?
Tech trend 4: “Robots in the wild” – growing businesses’ reach and responsibility
Robotics are no longer contained to the warehouse or factory floor. Autonomous vehicles, delivery drones, and other robot-driven machines are fast entering the world around us, allowing businesses to extend this intelligence back into the physical world. As 5G is poised to accelerate this trend, every enterprise must begin to re-think their business through the lens of robotics. Where will they find the most value, and what partners do they need to unlock it? What challenges will they face as they undergo this transformation, and what new responsibilities do they have towards their customers and society at large?
Tech trend 5: “Innovation DNA” – creating an engine for continuous innovation
Businesses should assemble their unique innovation DNA to define how their enterprises grow in the future. Maturing digital technology is making it easier than ever before to transform parts of the business, or find new value in share tools with others. The three key building blocks of innovation DNA are:
Continue on the digital transformation journey
Accelerate research and development (R&D) of scientific advancements and utilise elements such as material sciences and genomic editing to ensure practical applications are leaving these labs quicker than ever before
Leverage the power of DARQ (distributed ledger technology, AI, extended reality and quantum computing) to transform and optimise the business
Differentiation in the post-digital era will be driven by the powerful combinations of innovation and these building blocks will enable exactly that.
It’s not a “techlash”, it’s a “tech-clash”
Essentially, this new digital world is more intimate and personal than ever imaginable, but the models for data, ownership, and experience that define that world have remained the same.
Tech-clash is a clash between old models that are incongruous with people’s expectations. The time to start transformation is now. To this end, businesses need to defuse the tech-clash, build human-centered models and foster deeply trusting relationships.
For more information on how Accenture can help enterprises adopt the latest tech trends to future-proof their businesses in the post-digital era, go to: https://www.accenture.com/za-en.