Published Date: 2019-05-13
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident with WhatsApp exploiting a vulnerability to inject spyware into phones happened in May 2019 [84818, 84818, 84818]. 2. The incident was discovered in early May 2019 [84818]. 3. The patch for the vulnerability was released on Monday, which was in May 2019 [84818]. 4. The incident was reported on May 14, 2019 [84818]. 5. Therefore, the software failure incident occurred in May 2019. |
| System | 1. WhatsApp's phone call function system [84818, 84818, 84818] 2. WhatsApp's VOIP stack system [84818, 84818, 84818] 3. Buffer overflow vulnerability in WhatsApp [84818, 84818, 84818] |
| Responsible Organization | 1. NSO Group [84559, 84817, 84822, 84793, 84805] 2. Israeli cyber intelligence company [84559, 84817, 84822, 84793, 84805] 3. Hackers [84407, 84818] |
| Impacted Organization | 1. Human rights activists, lawyers, journalists, and government critics were impacted by the software failure incident involving the WhatsApp vulnerability [84818, 84789, 84805]. 2. A UK-based attorney involved in a lawsuit against NSO Group was targeted by the spyware attack [84793, 84805]. 3. An Amnesty International researcher was targeted via a WhatsApp message containing NSO's spying software in 2018 [84805]. 4. The lawyer involved in the civil case against NSO Group was targeted by suspicious WhatsApp video calls [84805]. 5. The attack was aimed at a select number of users, including high-profile activists and political dissidents [84407]. 6. The vulnerability allowed attackers to inject spyware into a user's phone through the WhatsApp phone call function [84818, 84814]. 7. The vulnerability was exploited by an advanced cyber actor to install surveillance software on phones and other devices [84818, 84814]. 8. The vulnerability was used in an attempted attack on the phone of a UK-based attorney [84793]. 9. The vulnerability was discovered to have targeted a select number of users, including human rights groups and activists [84822]. 10. The vulnerability was exploited to target a London-based human rights lawyer advising on a case against NSO Group [84805]. |
| Software Causes | 1. A vulnerability in WhatsApp's phone call function allowed hackers to inject spyware into targeted phones, leading to the failure incident [84818, 84818]. 2. The spyware developed by NSO Group exploited a buffer overflow vulnerability in WhatsApp's VOIP stack, enabling remote code execution through specially crafted SRTCP packets sent to a specific phone number [84818, 84818]. 3. The exploit involved attackers using WhatsApp's voice calling feature to target devices, even if the call was not answered, resulting in the installation of the surveillance software [84818, 84818]. 4. The spyware had the capability to extract data from the infected device, activate the phone's camera and microphone, and perform other malicious activities [84818, 84818]. |
| Non-software Causes | 1. The vulnerability in WhatsApp allowed hackers to install spyware through an infected WhatsApp voice call, exploiting a buffer overflow vulnerability in the WhatsApp VOIP stack [84818]. 2. The spyware was developed by the Israeli cyber intelligence company NSO Group [84818]. 3. The attack targeted a select number of users and was orchestrated by an advanced cyber actor [84818]. 4. The spyware could infect a phone without the user needing to do anything, even if the call was not answered [84818]. 5. The spyware used the WhatsApp voice calling function to infect the target's device [84818]. 6. The spyware could extract all data on the device, activate the phone's camera and microphone, and perform other malicious activities [84818]. |
| Impacts | 1. The software failure incident in WhatsApp allowed hackers to install spyware through infected voice calls, potentially compromising users' data and privacy [84818, 84814]. 2. The vulnerability in WhatsApp was exploited by an advanced cyber actor, targeting a select number of users, including high-profile activists, lawyers, and human rights defenders [84818, 84814]. 3. The spyware developed by NSO Group could extract data from the infected devices, including text messages, contacts, GPS location, email, and browser history, as well as activate the phone's camera and microphone [84818, 84814]. 4. The incident raised concerns about the security of cloud backups of WhatsApp chats, as they are not end-to-end encrypted, potentially exposing sensitive conversations to unauthorized access [84818]. 5. The software failure incident highlighted the risks associated with zero-day vulnerabilities and the challenges in defending against attacks that exploit such vulnerabilities [84407]. 6. The incident led to a call for users to update their WhatsApp applications to the latest version to mitigate the risks posed by the vulnerability [84818, 84814]. 7. The software failure incident prompted concerns about the potential misuse of surveillance technologies by governments and the need for accountability and regulation in the commercial sale of such tools [84805, 84818]. 8. The incident underscored the importance of implementing security measures such as two-factor authentication and privacy settings within messaging applications to enhance user protection [84818]. 9. The software failure incident had implications beyond individual users, as it raised broader questions about cybersecurity, privacy, and the role of technology companies in safeguarding user data [84818, 84814]. |
| Preventions | 1. Regularly updating the WhatsApp application to the latest version, which includes security patches and fixes [84818, 84818]. 2. Disabling cloud backups of WhatsApp chats to prevent vulnerabilities in unencrypted backups [84818]. 3. Enabling two-factor authentication (2FA) for an additional layer of security [84818]. 4. Utilizing additional privacy and security settings within the WhatsApp application to control who can access certain information [84818]. |
| Fixes | 1. Updating WhatsApp to the latest version to patch the vulnerability exploited by the spyware attack [84818, 84818, 84818]. 2. Disabling cloud backups of WhatsApp chats to prevent vulnerabilities in non-end-to-end encrypted backups [84818, 84818]. 3. Enabling two-factor authentication (2FA) for added security on WhatsApp accounts [84818, 84818]. 4. Utilizing additional privacy and security settings within the WhatsApp app to control data sharing and visibility [84818, 84818]. | References | 1. Financial Times [84818, 84818] 2. WhatsApp [84818, 84818] 3. NSO Group [84818, 84818] 4. Facebook [84818] 5. Amnesty International [84818] 6. University of Toronto's Citizen Lab [84818] 7. German firm Security Research Labs [84818] 8. CryptoPhone [84818] 9. Signal [84818] 10. Bjoern Rupp, CEO of CryptoPhone [84818] 11. John Scott-Railton, senior researcher at University of Toronto's Citizen Lab [84818] 12. Karsten Nohl, chief scientist at Security Research Labs [84818] 13. Alan Woodward, professor at University of Surrey [84818] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident involving the installation of spyware through a vulnerability in WhatsApp has occurred again. This incident targeted a select number of users and was orchestrated by an advanced cyber actor [84818]. - NSO Group, an Israeli cyber company, was involved in developing the spyware used in the attack on WhatsApp [84818]. - WhatsApp quickly addressed the vulnerability by releasing a patch and encouraged users to update their app as a precaution [84818]. (b) The software failure incident having happened again at multiple_organization: - The software failure incident involving the installation of spyware through a vulnerability in WhatsApp has targeted high-profile activists, political dissidents, journalists, and human rights defenders [84407]. - NSO Group, the Israeli spy firm, has been accused of developing a WhatsApp exploit that injected malware onto targeted phones, potentially stealing data from them [84407]. - The exploit allowed attackers to infect devices by placing a voice call to the victim on WhatsApp, even if the call was not answered [84407]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident occurring due to the development phases: - The software failure incident in WhatsApp was due to a vulnerability that allowed spyware to be injected into users' phones through the app's phone call function [Article 84559]. - The vulnerability was discovered in the app's voice over internet protocol (VoIP) stack, allowing remote code execution through specially crafted series of packets sent to a specific phone number [Article 84818]. - The exploit was a buffer overflow vulnerability in the WhatsApp VoIP stack that allowed the execution of code through the sending of a series of SRTCP packets to a target phone number [Article 84818]. (b) The software failure incident occurring due to the operation phases: - The attack involved hackers using the WhatsApp voice calling function to target specific users, even if the call was not answered, the spyware could still be installed [Article 84818]. - The spyware was capable of infecting phones without the user having to take any action, indicating a vulnerability in the operation of the app [Article 84818]. - The incident highlighted the potential misuse of technology by governments and the need for accountability in the operation of surveillance tools [Article 84805]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident related to the WhatsApp vulnerability and spyware injection can be categorized as within_system. The vulnerability in WhatsApp's phone call function allowed hackers to inject spyware into targeted phones, exploiting a buffer overflow bug in the VOIP stack [84818]. The attack was sophisticated, allowing the installation of surveillance software remotely without the need for the user to answer the call [84818]. WhatsApp quickly addressed the problem by releasing a patch and encouraging users to update their apps [84818]. The exploit was used to target a select number of high-profile activists, journalists, and human rights defenders [84818]. (b) The software failure incident involving the WhatsApp vulnerability and spyware injection can also be categorized as outside_system. The spyware was developed by the Israeli cyber intelligence company NSO Group, which is known for creating powerful malware to spy on targets [84818]. The exploit was orchestrated by an advanced cyber-actor, indicating external involvement in the attack [84818]. The attack had the hallmarks of a private company working with governments to deliver spyware, suggesting external collaboration in the incident [84818]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software vulnerability in WhatsApp allowed hackers to inject spyware into users' phones through the app's phone call function, without requiring any action from the users [Article 84818]. - The vulnerability exploited in the attack was related to a buffer overflow in the WhatsApp VOIP stack, allowing remote code execution through specially crafted SRTCP packets sent to a specific phone number [Article 84818]. - The attack had the characteristics of being orchestrated by an advanced cyber-actor, targeting a select number of users [Article 84818]. - WhatsApp quickly addressed the vulnerability within its infrastructure and released an update to protect users from being targeted with similar phone-call bugs [Article 84407]. (b) The software failure incident occurring due to human actions: - The spyware used in the attack was developed by the Israeli security company NSO Group, known for creating powerful malware to spy on targets [Article 84818]. - NSO Group denied any involvement in selecting or targeting victims but acknowledged its role in creating the hack itself [Article 84818]. - The attack exploited a buffer overflow vulnerability in the WhatsApp VOIP stack, a common type of bug that can be strategically exploited by attackers [Article 84407]. - The attack was used to target high-profile activists, political dissidents, journalists, and human rights defenders [Article 84818]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The articles do not provide information about the software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident occurring due to software: - WhatsApp discovered a vulnerability in its system that allowed hackers to install spyware on users' phones through a phone call function, without the need for the call to be answered. This exploit was due to a buffer overflow vulnerability in the WhatsApp VOIP stack, allowing remote code execution through specially crafted SRTCP packets sent to a specific phone number [84407]. - The spyware used in the attack was developed by the Israeli cyber intelligence company NSO Group. The attack targeted a select number of users, including high-profile activists and political dissidents. NSO Group denied involvement in selecting or targeting victims but acknowledged its role in creating the hack [84818]. - The attack exploited the fact that in a VoIP call, the system has to be prepared for various inputs from the user, such as picking up or declining the call. This complexity in data parsing left room for exploitable bugs that could be triggered without the call being answered [84407]. - The vulnerability allowed attackers to infect devices without user interaction, highlighting the risk posed by vulnerabilities that can be exploited remotely [84818]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident in WhatsApp was malicious. The vulnerability allowed hackers to install spyware on targeted phones through a phone call, even if the call was not answered. The spyware could extract data from the device, activate the camera and microphone, and perform other malicious activities. The attack was orchestrated by an advanced cyber actor, and the software exploit was developed by the Israeli cyber intelligence company NSO Group [Article 84818]. The attack had all the hallmarks of a private company reportedly working with governments to deliver spyware that takes over the functions of mobile phone operating systems. NSO Group, the company behind the spyware, denied any involvement in selecting or targeting victims but acknowledged its role in creating the hack [Article 84818]. The vulnerability was used in an attempted attack on the phone of a UK-based attorney involved in a lawsuit against NSO brought by a group of Mexican journalists, government critics, and a Saudi Arabian dissident [Article 84818]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident was not due to poor decisions but rather an intentional attack by hackers exploiting a vulnerability in WhatsApp to inject spyware into targeted phones. The attack was orchestrated by an advanced cyber-actor, and the spyware was developed by the Israeli security firm NSO Group. The attack targeted a select number of users, including high-profile activists, journalists, and human rights defenders. The spyware allowed attackers to remotely install surveillance software on devices, potentially gaining access to private messages, location data, and other information [84818, 84818, 84818]. (b) The software failure incident was not accidental but a deliberate exploitation of a vulnerability in WhatsApp's system by hackers. The attack involved injecting malware onto targeted phones through WhatsApp calls, even if the calls were not answered. The exploit was discovered by WhatsApp in early May, and a patch was released to address the vulnerability. The attack was sophisticated and targeted specific individuals, indicating a deliberate and intentional effort to compromise the security and privacy of the affected users [84407, 84407, 84407]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The software vulnerability in WhatsApp that allowed spyware to be injected into users' phones was due to a buffer overflow vulnerability in the WhatsApp VOIP stack, allowing remote code execution through specially crafted SRTCP packets sent to a specific phone number [84818]. - NSO Group, the Israeli cyber company behind the spyware, denied any involvement in selecting or targeting victims but acknowledged its role in creating the hack [84818]. - The hack exploited a buffer overflow problem in the WhatsApp VOIP stack, which is not uncommon in complex VoIP stacks known for having vulnerabilities [84407]. - The incident highlighted the need for security upgrades and patches to address vulnerabilities in software applications [84407]. (b) The software failure incident occurring accidentally: - The vulnerability in WhatsApp that allowed hackers to install spyware through an infected WhatsApp voice call was discovered this month and quickly addressed by the company within its infrastructure [84818]. - The spyware attack was used to target a select number of high-profile activists and political dissidents, indicating a deliberate and targeted attack rather than an accidental incident [84818]. - The exploit used in the attack was a zero-day bug, where attackers found a vulnerability before the company could patch it, highlighting the challenge of defending against such attacks [84407]. - The hack required nothing but an incoming phone call to inject malware onto targeted phones, indicating a deliberate and sophisticated attack rather than an accidental occurrence [84407]. |
| Duration | temporary | The software failure incident related to the WhatsApp vulnerability discovered by NSO Group was temporary. The vulnerability allowed hackers to install spyware through an infected WhatsApp voice call, targeting a select number of users. WhatsApp quickly addressed the problem within its infrastructure by releasing a patch for the vulnerability [Article 84818]. The attack exploited a buffer overflow vulnerability in the WhatsApp VOIP stack, allowing remote code execution through specially crafted SRTCP packets sent to a specific phone number [Article 84818]. The incident was discovered in early May, and WhatsApp urged its users to update the app as a precaution [Article 84818]. |
| Behaviour | crash, value, other | (a) crash: Failure due to system losing state and not performing any of its intended functions - The software failure incident in the articles can be categorized as a crash behavior. The vulnerability in WhatsApp allowed hackers to inject spyware into targeted phones through a phone call, even if the call was not answered, leading to the system being compromised and not performing its intended functions [Article 84818]. (b) omission: Failure due to system omitting to perform its intended functions at an instance(s) - The software failure incident does not specifically mention an omission behavior where the system omits to perform its intended functions at an instance(s) [unknown]. (c) timing: Failure due to system performing its intended functions correctly, but too late or too early - The software failure incident does not align with a timing behavior where the system performs its intended functions correctly but at the wrong time [unknown]. (d) value: Failure due to system performing its intended functions incorrectly - The software failure incident can be associated with a value behavior as the spyware injected into the phones through the WhatsApp vulnerability allowed hackers to access private messages, location data, and other information, indicating incorrect functioning of the system [Article 84818]. (e) byzantine: Failure due to system behaving erroneously with inconsistent responses and interactions - The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [unknown]. (f) other: Failure due to system behaving in a way not described in the (a to e) options; What is the other behavior? - The software failure incident can also be categorized as a value behavior as the spyware developed by NSO Group had the capability to extract data from the devices, activate the phone's camera and microphone, and perform other malicious activities, indicating incorrect functioning of the system [Article 84818]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (a) death: There were no reports of people losing their lives due to the software failure incident in the articles. (b) harm: The software failure incident did not result in physical harm to individuals as reported in the articles. (c) basic: The software failure incident did not impact people's access to food or shelter as reported in the articles. (d) property: The software failure incident impacted people's data security and privacy as spyware could be injected into their phones, potentially allowing hackers to access private messages, location data, and other information [Article 84407]. (e) delay: There were no reports of people having to postpone an activity due to the software failure incident in the articles. (f) non-human: Non-human entities were not directly impacted by the software failure incident in the articles. (g) no_consequence: The software failure incident had real observed consequences, such as the potential compromise of user data and privacy due to the spyware vulnerability in WhatsApp [Article 84407]. (h) theoretical_consequence: The potential consequences discussed in the articles included the ability of the spyware to extract data from the device, activate the phone's camera and microphone, and perform other malicious activities [Article 84805]. (i) other: There were no other consequences of the software failure incident mentioned in the articles. |
| Domain | information | (a) The failed system in the articles was related to the information industry. The software failure incident involved WhatsApp, a messaging app owned by Facebook, which is a platform for communication and sharing information among users [Article 84818]. (b) The failed system was not related to the transportation industry. (c) The failed system was not related to the natural resources industry. (d) The failed system was not related to the sales industry. (e) The failed system was not related to the construction industry. (f) The failed system was not related to the manufacturing industry. (g) The failed system was not related to the utilities industry. (h) The failed system was not related to the finance industry. (i) The failed system was not related to the knowledge industry. (j) The failed system was not related to the health industry. (k) The failed system was not related to the entertainment industry. (l) The failed system was not related to the government industry. (m) The failed system was not related to any other industry. |
Article ID: 84559
Article ID: 84817
Article ID: 84822
Article ID: 84804
Article ID: 84812
Article ID: 84793
Article ID: 84805
Article ID: 84789
Article ID: 84407
Article ID: 84814
Article ID: 84818