- October 06, 2015
- Info notes
WhatsApp is an instant messaging mobile application that allows users to send text messages, as well as media content such as images, videos, and audio messages. With the recently added call functionality, WhatsApp essentially provides most GSM functionalities like Calls, SMS, and MMS over the data network. The web based extension known as Whatsapp Web was launched in January 2015. WhatsApp Web allows users to view their messages on both the smartphone and a web browser concurrently by mirroring all messages from the smartphone to the web browser.
Security researcher Kasif Dekel from Check Point recently discovered a significant vulnerability dubbed MaliciousCard which exploited the WhatsApp Web application allowing attackers to execute arbitrary code on the machines of unsuspecting victims. When the vulnerability was disclosed, WhatsApp claimed to have 900 million active monthly users with at least 200 million using the WhatsApp Web application.
The MaliciousCard vulnerability was given lots of media attention, and was described as a highly severe vulnerability that exposed millions of users. The severity of this vulnerability was due to several factors:
- It was easy to exploit: the attacker simply needed to send the victim a vCard (an electronic business (or personal) card) containing malicious code, and convince the victim to click and execute the vCard.
- Since WhatsApp users are identified by their MSISDN (Mobile Station International Subscriber Directory Number – aka Mobile phone number), therefore all the attacker needed to target a particular user was to know his or her phone number.
- The large number of vulnerable users, since WhatsApp Web had 200 million users by the time the vulnerability was discovered.
- The successful exploitation of MaliciousCard could have had severe consequences: by executing arbitrary code on the victim's machine, the attacker could have further compromised the machine by distributing bots, ransomware, RATs, and other malware.
WhatsApp acted quickly by patching the WhatsApp Web vulnerability. The fix was able to mitigate the problem until a full patch was launched to the WhatsApp application.
- August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
- August 23, 2015 – WhatsApp acknowledges receipt of disclosure.
- August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
- September 8, 2015 – Public disclosure
MSISDN as a unique Identifier
The success of WhatsApp is often attributed to its simplicity. A perfect example of its simple implementation is the way in which it uses the phone number as a unique identifier, eliminating the need to add contacts as the application uses the pre-existing contact list stored on the phone.
Vulnerabilities like MaliciousCard can easily take advantage of this approach:
- Individual target: the attacker can obtain the victim's phone number, craft a personalised text message, and send it to the victim.
- APT against an organisation: the attacker can obtain a contact list of the employees within an organisation, craft a personalised text message and distribute it to the employees.
Brute Force Spam
The attacker can 'brute force' all the possible phone numbers and send text messages to all the resulting numbers.
Figure 1 Whatsapp screenshot
The MSISDN is composed of the CC (Country Code), NDC (National Destination Code), and the SN (Subscriber Number).
MSISDN = CC + NDC + SN.
7307406945 = 73(CC) + 074(NDC) + 06945(SN).
The CC is common to a particular country, and the NDC is common to a particular Telco provider. This only leaves the SN as a variable number. In the case above, the possible MSISDNs for this country and telco provider range from 7307400000 to 7307499999. These numbers are relatively easy to 'brute force' since there are only 100,000 SNs available for this Telco provider. Automatically sending text messages to all of these SNs is a simple task.
Figure 1 above shows a spam WhatsApp message that was recently circulating within Greece, even among ENISA staff members. This message was most likely sent using the aforementioned 'brute force spam' technique. In this message, the CC was +30 which indicates that the phone number was Greek, and the message was written in Greek text. Coincidentally these messages were circulating in between the 21st and the 27th of August (refer to Disclosure timeline above), and they even contained a vCard. We were unable to confirm whether this message was in fact a MaliciousCard attack since the vulnerability has been fixed from the WhatsApp Web application not allowing us to reproduce the scenario.
The ability to target users through the phone number was also demonstrated in the Stagefright vulnerability where the attacker was able to send a specially crafted MMS to unsuspecting victims in order to perform arbitrary operations on the target device. What was particularly interesting in the Stagefright vulnerability was that no user interaction was required.
Conclusion and recommendations
Several applications (WhatsApp, Viber, etc.) are now using the phone number as a unique identifier, not to mention that mobile operating systems allow applications (e.g. SMS application) to link to smartphone features such as SMS, MMS, and Call received that are linked to a phone number. As a result, smartphones are addressable through the phone numbers on such applications, and as shown in the examples above, this can be exploited by cybercriminals.
One's mobile phone number is a personal and valuable piece of information, to be handled with care. Users must be cautious when receiving data from suspicious or unknown numbers, but also when they receive unsolicited data from known numbers.
Software vendors and service providers
Software vendors and service providers should consider the implications of using mobile phone numbers as a unique identifier and enforce additional security measures to counter such abuses in cases where the number is used. Not including the need to add contacts was a matter of convenience from a user's perspective. However this approach can have significant security implications. Both the MaliciousCard and Brute Force Spam cases could have been avoided if WhatsApp had blocked messages from unknown or untrusted sources.
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (email@example.com).