Hack #2 – A stranger is calling you

Beginner Déc 20, 2019

messaging service call
Key takeaways:
– Messaging apps can be targeted through elaborated attacks masked as a phone call, leaving it virtually impossible to notice.
– Through this, vulnerabilities in messaging apps could be used remotely collect all data (e-mails, passwords, crypto wallets).
– If a user would use Keystore systems, even this information could be remotely accessed by the attacker.
– As hardware wallets keeps your sensitive data offline, this completely mitigates this type of attack.


The WhatsApp vulnerability came to light in May 2019 when Facebook announced that a critical bug in the WhatsApp contact system could allow an attacker unfettered access to the data of WhatsApp’s more than 1 billion global users.

How does it work?

A type of “zero-day exploit,” the WhatsApp vulnerability consisted of sending malicious data packets to a user’s phone disguised as a phone call from a random, non-contact number. Users didn’t even need to pick up the phone calls, and the attack was virtually invisible to users. The malicious software rewrote the app’s memory and, thanks to an additional vulnerability, granted access to emails, passwords, notes apps, crypto wallets, and more.

The vulnerability was linked directly to a common programming bug called memory corruption, which makes the prospect of similar attacks currently ongoing a realistic proposition. If the victim installed crypto currency apps, the attacker could remotely obtain information from a user’s crypto wallet — with the user unaware of what’s happening.

The most disturbing aspect of the WhatsApp vulnerability is that Facebook acknowledged it is unaware of how many users were affected. In addition, an Israeli security firm cited its ability to install malicious software via messages on WhatsApp long before the exploit was discovered.

The consequences

Such intrusions not only affect the security of user crypto assets but their privacy. Surveillance software can easily be deployed using the WhatsApp vulnerability, making it an even more egregious bug. 

The hack also abused a problem with the VoIP calling system, which is a ubiquitous Internet protocol for calling people at cheap or virtually free rates. This highlights how widely used mediums of communication, despite being around for years, still contain critical weaknesses. 

The emerging pattern that you should be aware of is that Internet-connected devices come with significant unknown risk drawing from their exposal to myriad hackers and software components. In cybersecurity circles, simple is often better. It is much easier to surreptitiously exploit an attack vector in a complex system than it is in a simpler system with less logical ambiguity. 

Hardware wallets are explicitly designed with this concept in mind.

A hardware wallet keeps your crypto safe

Again, a hacker would also need physical access to the user’s hardware wallet to actually wield data stolen from the WhatsApp vulnerability to withdraw funds. 

In addition, Ledger has its own standalone operating system called BOLOS that isolates crypto applications from each other. BOLOS is a markedly different approach than applications stored on a user’s smartphone, like WhatsApp. 

For security reasons, each cryptocurrency should be its own application. The generic OS for SE chips is not suited explicitly for cryptocurrencies, but BOLOS is. BOLOS essentially acts as a buffer between the private data on your secure hardware and the third-party crypto apps installed on your device. As a result, bugs or malicious code in third-party apps will never have access to your private key or seed phrase. 

The WhatsApp bug has since been patched, but it reveals an endemic problem — unknown vulnerabilities can be leveraged by bad actors for their benefit over extended periods when connected to the Internet. 

Hardware wallets offer a blend of offline safety from many of the attack vectors present on your phone or computer. Many people have dozens, if not hundreds, of applications running on their smartphones. Hardware wallets sever the need to trust that these applications are adequately insulated from security risks, and gives the user the ultimate autonomy over their precious crypto assets.


Related article