search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
FEATURE CELLULAR, WI-FI & IOT


Smartphones, smarter hackers Can users defend against a similar breach to the WhatsApp hack?


Contributing to the running theme of technical and electronic security in this issue of Electronics, Daniel Follenfant, senior manager of penetration testing and consulting services for NTT Security, expands on his recent thoughts on smartphone applications and the simple yet effective means by which they can be protected


T


he recent hacking of the WhatsApp messaging service has coerced businesses and consumers to examine what they can do to protect themselves, and their data, from a similar kind of attack in the future. The attacker took advantage of a design flaw in the app to ‘take it over’. Unfortunately, such flaws are something that users of an app or service have no control over. Nevertheless, by taking a few basic precautions, users can reduce the risk of their security or privacy being breached.


A TRIED AND TESTED APPROACH The WhatsApp hack was a classic example of a buffer overflow attack. By no means new, this type of attack is rarely seen these days. In its simplest form, it involves inserting code into an area of the application, in memory, that will then be executed. This was a very coordinated attack, allegedly carried out using software developed by NSO Group Technologies that, in the past, has breached phone security with its famous Spyware Pegasus software. The cunning of this exploitation of WhatsApp’s servers is the method by which the attacker managed to gain access to users’ phones: by simply calling them, in order to spy on them, without said call even needing to be answered, sending through packets of data to the phone during the process of the call.


24 JUNE 2019 | ELECTRONICS


OUT OF THE USER’S HANDS The vulnerability that enabled the hacker to carry out this particular attack had nothing to do with WhatsApp’s encryption or security controls. It was an issue within the application itself, inherent in the way it had been written. The encryption method used for messaging was not brought into question, and the implementation of that has since been proven secure. This limits the actions that users of apps and services can take to prevent similar breaches from happening in the future. However, they are not completely powerless to react.


BACK TO BASICS Encrypting all data locally is one approach that organisations can take to lock down any information that is being transmitted. For consumers, there are simple things they can do to reduce risk. A classic precaution is to avoid using


the same password across a number of popular apps. Of course, it eases your own memory bank, but it could certainly leave your smartphone’s coded memory bank susceptible to a hijack. For example, let’s say you’re keen on a particular hobby and log in to a respective forum, using the same password you use to shop with Amazon. An attacker might steal your credentials by targeting the less secure forum. When you’re notified that the forum has been breached, you might dismiss it.


Daniel Follenfant, senior manager of penetration testing and consulting services, NTT Security


However, the attacker can then try your details on Amazon and consequently, gain access to your account. In an ideal world, everything should have a unique password. Freely available password management software, such as KeePass, can make the job easier, by requiring you to remember only one master password.


LEAP OF FAITH Ultimately, businesses and consumers need to put their faith in the vendors that create the apps they use. It is up to vendors to protect us by watching for, identifying and fixing vulnerabilities that might leave us or our data exposed. To its credit, WhatsApp quickly addressed the issue by releasing a patch for applications already running. Moreover, mobile app stores themselves provide a layer of small protection, by assessing the apps they host for common flaws that could present a potential security vulnerability to the user and their device. It is in every vendor’s interest to take positive action to monitor and address the kinds of flaws that left the door open for the attacker that targeted WhatsApp. Fierce competition, combined with a high turnover of applications, means that if they fail to take responsibility, consumers could and likely will walk away and find someone else that does.


NTT Security www.nttsecurity.com / ELECTRONICS


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44