Bezos, WhatsApp Cyberattacks Show Growing Mobile Sophistication

The recently disclosed Jeff Bezos phone hack and other incidents show that mobile devices are being increasingly targeted by sophisticated nation-state attackers.

NEW ORLEANS – Sophisticated nation-state groups are increasingly using mobile devices as an infection vector.

Oded Vanunu, head of products vulnerability research at Check Point research, told Threatpost during CPX 360 this week that because mobile devices come equipped with varying technologies, from communication apps to operating systems, they’re ripe targets for sophisticated cybercriminals.

Recent examples of potentially state-sponsored mobile cyberattacks have included the reported hack of Jeff Bezos’ phone, which reports say occurred after the Amazon CEO opened a seemingly benign WhatsApp video in 2018 from the account of the Saudi Crown Prince Mohammed bin Salman. More recently, New York Times journalist Ben Hubbard said this week that someone tried to hack his phone by sending him an Arabic text message with a link for a website. Beyond these high-profile instances, various journalists and human rights activists have been targeted globally after a WhatsApp zero-day vulnerability was exploited by attackers who were able to inject spyware onto victims’ phones.

While it’s certainly not the only way that mobile phones are being attacked, Facebook-owned WhatsApp has become a significant attack surface; it’s used by 1.5 billion people globally, making it ripe for cybercriminals.

Vanunu, head of products vulnerability research at Check Point research, has seen his share of WhatsApp vulnerabilities – the researcher at Black Hat 2019 demoed several flaws in the messaging platform could be used to manipulate chats, for instance. Vanunu told Threatpost that WhatsApp is a prime example of how mobile devices are increasingly becoming targeted by nation-state actors, in stark contrast to previous, less serious threats mobile devices have faced in the past, like adware.

Listen to Threatpost’s interview with Vanunu below or download direct here.

Below is a lightly-edited transcript of Threatpost’s conversation with Vanunu.

Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost. Welcome back to the Threatpost podcast. I’m here with Oded Vanunu with Check Point research. And we are here today at CPX 360. Oded, How are you doing?

Oded Vanunu: I’m doing well. Thank you for your time.

LO: Yeah, how’s your CPX 360 so far?

OV: So far, so good. There is a lot of interest, a lot of excitement moving fast like the cyber world. And it seems like from every year in the cyber security space, it’s becoming much more bigger because technology is evolving faster.

LO: Well, just for our listeners, can you introduce yourself and kind of what your role is, with Check Point’s research team, I know you’ve done a ton in terms of research around WhatsApp vulnerabilities and TikTok and everything else.

OV: So I’m head of product vulnerability research. Basically I’m part of Check Point’s research leadership. What we do is that we run an operations of more than 200 people that focus on cyber warfare, meaning that today we live in an era where cyber attacks, cyber war is involving governments, involving cybercrime, and all these organizations and governments have a multi million, or sometimes billion-dollar budget. And this means that the cyber landscape dramatically changing and becoming aggressive in the last few years.

And in the last two years we are uncovering very big stories about vulnerabilities on major platforms, platforms of millions of people. Because these platforms become the main target, the main gates for threat actors. For example, let’s take social, or instant messages WhatsApp, for example. 1.5 billion users use this platform, so from the perspective of the attacker, this is the gate that I want to enter, because this application sits on mobile, or iPad, or tablet, or PCs. So I have a lot of opportunity.

And we saw in the last year also, the price tag price for vulnerability on social media and instant messaging, the public sites that companies that buy vulnerabilities has reached $1 million. This is big. This is meaning that there is huge demand from governments and cybercrime to get these vulnerabilities, this is their rhythm, this is how it’s going. So this is like  in general what we are doing.

LO: Yeah, well, I know specifically with WhatsApp you had talked at, I believe, Black Hat this past year about some vulnerabilities that you discovered on the WhatsApp platform. And it really brought to mind just how private messages are on the platform. And what there is to lose on the consumer. And, and I know too we had just been talking about kind of a recent Jeff Bezos incident that had happened. Can you talk a little bit about, what your perspective is on that and how that relates to what you’re saying?

OV: Yes, so. So the instant messaging and social media are, as I said, the main targets but we need to understand that from a cyber offensive perspective, we all use mobile phones. But let’s understand what there is inside a mobile phone. There are hundreds of hardware pieces inside of it. Potentially, each hardware device can add a vulnerability. So this means that I have a lot of attack surface. This is just the beginning. Then we have operation systems, millions of code lines. And then we have applications, which is on top of the operating system and on there is another millions of code lines and hundreds of applications. This means that our device in general – not related to specific social media – each application, if it’s connected directly to the internet, is a gate because it’s a software. All the time there will be vulnerabilities. So first of all, we need to understand this concept. Now, we have the objective and targets of the bad actors. So there is bad actors that their objective is to spread their malware without a specific target, or spearphishing. They’re usually not using very sophisticated attacks, they are using more like social engineering and more involving links.

But then we have the vulnerabilities that really exploit specific applications. And these applications are usually the applications that we use most of the time. And we can, let’s try to name it, not because they have vulnerabilities –  everyone has vulnerabilities – let’s say WhatsApp is a great platform, great security and they are doing a great job. But they are the biggest, meaning that everyone has the app. But let’s think about, so everyone is like social media, Facebook, Instagram, TikTok. So this is like three applications, three different application, three different code logics. And then you have browsers. It’s totally different. And then you have your emails applications.

So it means that the attack surface is growing. And these are the targets today. These are the main targets to attack you through the application files, vulnerabilities on the application that will give [attackers] a gate, and then these gates would trigger another vulnerability, another zero-day to download the payload. The standard today is that the attacks are multi-vector, there is no one zero day and that’s it. It’s like moving between platforms, moving between architectures, it’s moving parts.

And of course, we didn’t talk about cloud, because most of the applications today are just like, a piece of code. Simple code that just responsible for the basic logic. But behind the scenes, it’s like hundreds of API’s, third party, SSO, you can do it with Facebook, and then database, and then streaming and then payments. So it means that your application has so many legs. Right? And so many communication patterns and for an attacker I just needed one place that I can inject that will not have sanitation. And that’s it, and I’m inside.

So executing cyber attacks today. It’s not a simple mission but it’s something that includes a lot of moving parts. And this is why there is a huge market of zero days and vulnerabilities.

LO: Yeah, that’s a really good point. I know today at CPX360 at one of the keynote someone was talking about mobile security, but then also social media and how there’s kind of a trolling-as-a-service type of market that’s been emerging over the past year in terms of social media hacks, and, you know, misinformation and things like that. How does that kind of fit into all of this?

OV: Yeah, so so misinformation, fake news. Yeah, it’s also part of the things that we uncovered. We had a vulnerability last year, for example, on WhatsApp that allowed us to fake messages on behalf of people, on groups. And we did that after we saw a lot of news that that people were actually dying from fake news in India and Brazil elections. And and let’s talk about now about something that’s very disturbing and try to understand like the big picture.

Most of us, most of our technology life, is controlled by artificial intelligence. Every time that we use our phone, or PC, we move between places. We have locations, we have browsers. There are engines on the cloud that profile for each of us. So if you will enter to social media and I will enter to social media, we both would see different things. You have your own life, this life was decided from artificial intelligence links, what you speak, what it’s like around you, the people that you are looking for.

So, each one of us has a platform, has a domain, and we are controlled by that, when we wake up in the morning, we see what where is our events, what is the news today. So, imagine for example, if I can manipulate, exploit the artificial intelligence engines, this is big. This is happening. This is happening and this is why we see according to information that is available on the Internet, that elections, Brexit, things that use a lot of artificial intelligent, manipulation that targets audience. So in my opinion, this is the biggest threat for the future.

LO: Well, I see we’re running out of time here. But just to wrap up, was there anything else, any other like takeaways that you kind of want to highlight in terms of the bigger biggest cyber threats to look out for in 2020? Or any anything else?

OV: So for me, 2020 is the biggest risk or prediction is that, first of all, artificial intelligence, exploitation or manipulation. This is a big thing because there is a lot of elections in 2020 around the world. Second, it’s not secret anymore and it’s been escalated. There is a cyber Cold War, nations are targeting each other and publicly saying it. So we want to see where it will go.

And the last thing for me is that we will continue to see exploitation of social media instances and that’s, that’s it. This is enough.

LO: Great. Well, Oded, thank you again for joining us.

OV: Yes. Great. it was a pleasure.

Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.