Both my mother and I are highly security-conscious individuals. Despite our vigilance, we recently fell victim to a WhatsApp hack through a zero-day vulnerability. A zero-day vulnerability refers to a security hole or vulnerability in a computer system that remains undisclosed to its developers or anyone capable of mitigating it. Until the vulnerability is patched, threat actors can exploit it through a zero-day exploit or zero-day attack. The term “zero-day” originally denoted the number of days since a new software release to the public. Consequently, “zero-day software” was obtained by hacking into a developer’s computer before its release. Over time, the term was extended to encompass the vulnerabilities that enabled this hacking and the number of days that the vendor had to address them.
As mentioned before and is common knowledge, demonic forces descended upon us and our people. Our devices were compromised without any involvement or error from our part. Subsequently, the device was utilized against us for surveillance purposes. As the Government of Jamaica endeavors to combat cybercrime and enhance security, it is imperative to emphasize that individuals of wealth, prominence, or possessing extensive empires that unscrupulous entities seek to exploit may become potential targets of this hazardous attack. It is crucial to recognize that these threats extend beyond governments, journalists, and other entities.
The Ministry of National Security recently posted on the topic of Cyber Security, designating October as Cybersecurity month. discussing their push for enhanced cyber security. I am 100% percent behind this initiative as we recently became victims despite our rigid security methods.
Coming from an IT background. I used to build and sell PC’s running Linux and Windows. Through various meetings and functions with diplomats and friends of my mother and father I used to repair their PCs and install security software to protect them and their loved ones. I was part of the Spread Firefox movement which helped dethrone Microsoft’s Internet Explorer as the world’s most popular web browser. Internet Explorer was a terrible web browser that deliberately fought against open standards compliance, breaking the web for all browsers that was not Internet Explorer ensuring Microsofts dominance.
Essentially most websites were designed specifically for Internet Explorer’s broken engine and would refuse to run in any other web browser. Back then, you had to have Windows and Internet Explorer to login to your bank, insurance, email etc. If you used any other browser, it simply would not work. From the ashes of Netscape, Firefox fought for open standards compliance and thus paved the way for alternatives like Safari. Now thanks to open standards compliance, all important websites work in most web browsers regardless of browsing engine.
Microsoft eventually joined the party and released Microsoft Edge as part of Windows, which is based on Chromium, the open-source web browser that Google Chrome is based on. Chromium is based on a modified version of Apple’s Webkit, which is one of the most robust browsing engines available to date. Through the iPhone, Steve Jobs and Apple fought to eliminate the monopolistic, unstable, and insecure Adobe Flash player, which at the time was required to view video on most websites, including YouTube. He took the initiative to enforce the open standard known as HTML5 video, refusing to support Flash on the iPhone. He prioritized stability, performance, security, and battery life, all of which would have been compromised if he had allowed Adobe to dictate the future. Consequently, all website developers who were either lazy or had their hands in Adobe’s pocket were forced to support open standards, such as HTML5, in this instance.
While I digressed briefly, all of this information is highly pertinent and contributes to the point I am attempting to convey. Steve Jobs recognized that Adobe Flash posed a threat to his iPhone. Instead of succumbing to its dominance as the primary platform for online video and animation, he made a decision guided by his intuition and decisively halted its installation. He understood that this action would compromise his infrastructure and advocated for positive change. Returning to my main point, my intuition consistently prevented me from using WhatsApp and Meta. However, since most Jamaicans rely on these platforms for communication, I disregarded my gut feeling and installed them on both my mother’s and my phone. I will elaborate on this further in a later discussion.
As an avid Apple user, I have always been impressed by the durability and security of Apple computers. While Apple has consistently produced some of the most stable and secure devices globally, the increasing popularity of the Apple iPhone, iPad, and iOS operating system has made their devices vulnerable to exploitation. In contrast, Android devices face a more challenging security situation due to the fragmentation within its ecosystem. Essentially, Android devices are inherently less secure than Apple devices. Furthermore, the majority of Jamaicans utilize third-party Android devices from manufacturers such as Samsung and LG, which often lack a strong track record of updating their devices. Consequently, these devices leave customers exposed to exploits that cannot be patched or remedied.
If you prioritize security, consider purchasing an iPhone. Apple prioritizes your privacy and well-being, as their primary revenue stream originates from the sale of their hardware, software, and services. In contrast, Google, Meta, and other companies generate their income by selling your data to advertisers. Before engaging in a debate about iPhones vs Android, it is essential to exercise common sense.
Ok, On to the topic at hand:
As Jamaica is one of the most technically advanced, estate rich and one of the most coveted nations in the Caribbean, it has been plagued by many cyber crimes.
JaCIRT recommends against entering emails and passwords on unsecured websites. This means for example a website that is http://www.nameofwebsite.com is un-encrypted. The website must display https://www.nameofwebsite.com which means it is encrypted. Pay close attention to the website address you enter in your address bar as an incorrectly entered website could also take you to an imposture site that will gladly steal your credentials.
Furthermore as posted by the Most Honorable Andrew Holness, JaCIRT recommends that you:
✔️ Review your digital footprint and reduce unnecessary exposure.
✔️ Keep your devices updated and properly secured.
✔️ Guard your digital secrets, your passwords, your Wi-Fi access, your networks at home and at work.
✔️ And avoid oversharing on Social Media
Finally Lt. Col. Sterling emphasized the importance of reporting incidents.
I agree very much so. If you were hacked or you think you are compromised do not keep it to yourself. Talk, report it, if nobody talks nothing gets solved and everyone remains exposed. This not only goes for security but also for software bugs. Throughout the years whenever I encountered a bug, or exploit I have always made it a point of my duty to report it the manufacturer and in the case of security, the government. Nothings perfect, nothing is permanent, everything has flaws but those flaws cannot be patched if no-one speaks when they encounter them.
In addition to these measures mentioned by Lt. Col. Sterling and JaCIRT, it is imperative to configure your device to screen incoming calls and messages from unidentified senders. Refrain from opening unsolicited emails, messages or attachments from strangers or individuals you do not trust.
Implement Two-Factor Authentication (2FA): Enhance the security of your Apple ID by enabling 2FA (Settings > [Your Name] > Sign-In & Security > Two-Factor Authentication). This robust authentication method safeguards against account-based attacks that exploit vulnerabilities to gain unauthorized access to iCloud data. Additionally, it is imperative to enable 2FA for all your online accounts and applications to reinforce your digital security posture.
Whenever feasible, avoid using your phone number as the second factor of authentication and opt for an authenticator application instead.
This issue has garnered global recognition and demands attention. Most Banks and institutions that assert their security still rely on unsecured phone numbers as a method of authentication. This practice poses a substantial risk. A few weeks ago, my mother’s SIM card was compromised. Consequently, her phone displayed “No Service”, and when someone attempted to call her, they either received an unknown individual or received no response at all.
To retrieve her phone number, we had to report the incident to the carrier and the Government of Jamaica. In a SIM swap scam, an individual approaches the carrier, claiming to have lost or stolen their phone, and requests that the representative port “their” number to a new SIM card. If the individual possesses substantial resources, they can persuade a corrupt or unscrupulous individual within the telecommunications company to comply with their request. Consequently, they obtain your phone number. Your phone will display “No Service,” and your SIM card will become inactive.
If her phone number was tied to any of her online accounts, that malicious actor would have had complete access to everything. For example if the hacker knew her email but did not have her password, but had access to her phone number that receives the one time authorization codes and password reset requests, that malevolent party would have complete access to everything.
Let us now return to the technical analysis. Regarding the zero-day exploit that necessitated no user interaction, WhatsApp is configured by default to accept all incoming media automatically. This setting serves as an ideal vector for transmission, akin to a vulnerable individual readily accepting any information from any source.
If you must use WhatsApp, disable auto-downloading of all content (Photos, Videos, Documents, etc). While I do not consider WhatsApp to be secure even though it features end-to-end encryption, Update your smartphone and WhatsApp to the latest version as Meta claims they have patched the zero-day exploit in their latest update.
Disable MMS messaging on your device as zero-day exploits can also travel via this method. If you are on iPhone, set up Messages to Filter Messages form Unknown Senders. This can be done by going to Settings > Apps > Messages > Message Filtering > Filter Unknown Senders. This setting will put messages from senders not in your contacts list in a separate list.
Now for FaceTime: Go to Settings > Apps > FaceTime > Calls > Silence Unknown Callers. Set this toggle to On. This means that people who are not in your contacts list will silenced when they try to FaceTime you.
Now, thoroughly review your contacts list in the Phone app (Phone > Contacts) and in WhatsApp, and block all individuals you do not trust or communicate with. Upon completion, akin to ending a romantic relationship, you can safely delete them from your device. These contacts will be blocked, preventing any potential harm or infection. If you anticipate the need to contact them in the future (which is unlikely), consider writing down their information on a separate piece of paper before deleting them.
Do not click on any links or view unsolicited emails from strangers or people you do not trust as exploits can also travel via this method. Setup the mail app to NOT download remote images. Go to Settings > Apps > Mail > Composing > Load Remote Images and disable it.
Maintain iOS Security: Regularly update your iPhone to the most recent iOS version. Apple frequently releases patches for vulnerabilities, even if not publicly disclosed, as part of minor updates. Access Settings > General > Software Update and enable automatic updates to ensure timely resolution of security issues.
Enhance Device Security with Strong Passcode and Biometrics: To safeguard your device against unauthorized access, it is imperative to establish a robust passcode. Opt for a complex passcode that comprises at least six digits, preferably incorporating alphanumeric characters. Additionally, enable Face ID or Touch ID to provide an additional layer of security. To configure these features, navigate to the Settings menu and select the appropriate option, such as Face ID & Passcode or Touch ID & Passcode.
Enable Data Protection: By default, your iPhone should encrypt data, which is a standard security feature on iOS devices with a passcode. Avoid jailbreaking your device, as it disables this protection and makes your device vulnerable to exploits.
Limit App Permissions: Review and restrict the permissions granted to applications to only those essential for their functionality. Access the Settings > Privacy menu to manage access to location, contacts, photos, and other sensitive data. Exercise caution when applications request excessive permissions, as they may pose security risks and exploit vulnerabilities.
Ensure Security by Installing Apps from Reputable Sources: To safeguard your device, exclusively download applications from the official Apple App Store. This platform undergoes rigorous security verification by Apple. Refrain from utilizing third-party app stores or sideloading unless absolutely necessary, as these methods can inadvertently introduce malicious code. Most users of iPhone does this by default but I mentioned it non-the-less. However, this precaution is particularly crucial for Android users, which allows sideloading much more easily. Apple was looking out for you by making sure all Apps come from their app store.
Utilize Safari with Default Security Settings: Safari’s Intelligent Tracking Prevention and fraud alerts effectively reduce the risk of web-based zero-day attacks. Refrain from clicking suspicious links and enable Settings > Safari > Fraudulent Website Warning. While disabling JavaScript (Settings > Safari > Advanced) can enhance security for sensitive browsing, be aware that it may render certain websites inaccessible.
Disable Unnecessary Features: To minimize potential vulnerabilities, disable features such as AirDrop, Bluetooth, and Wi-Fi when not actively utilized. This can be accomplished by accessing the Control Center or navigating to Settings > Bluetooth/Wi-Fi and toggling off these connections. Additionally, refrain from connecting to public Wi-Fi networks without employing a virtual private network (VPN) to safeguard your data.
Monitor for Suspicious Activity: Regularly monitor Settings > Battery or Settings > General > iPhone Storage for anomalous app behavior or unexplained battery drain, which may signify a security breach. Utilize Settings > Screen Time to scrutinize app usage patterns.
When compromised, your device may become unbearably slow, freeze, and exhibit erratic behavior. It may experience poor battery life even when hardly used, leading you to believe that a battery replacement is necessary. When viewed through a DNS catching service you may see suspicious private domains that do not relate to the (OS) Operating System or any of the applications installed on your device. In one instance, my iPhone became completely frozen, preventing me from opening applications or turning it off. I had to forcefully reboot it.
Following device exploitation, we had to wipe all our devices (both macOS and iOS thoroughly) using the “Erase and Reset” functions. Navigate to Settings > General > Transfer or Reset > Erase all Content and Settings“. This option completely erases and reformats the iPhone or Mac’s user data partition on its internal SSD, effectively deleting all applications, settings, and files. After the initial boot, it is crucial to refrain from restoring from any backups, as the exploit could still be present and re-install itself from the backup. I cleared all backups stored from apps that send and receive calls and text from my iCloud and local backups prior to wiping my device.
If you are a person of high risk Do not use Android and do not install any third party apps. Use iMessage and FaceTime as they are end-to-end encrypted with AES-256, They are owned and run by a company who’s profit does not come from harvesting your data. Be sure to enable Apple’s “Advanced Data Protection” (also found in the Settings app) which end-to-end encrypts backups to iCloud as well.
Regularly monitor Settings > Safari > Downloads for the presence of unidentified files and Settings > General > Profiles & Device Management for the detection of unauthorized profiles. These indicators may suggest the presence of an exploit.
Enable Find My iPhone: In the event of your device being lost or stolen, Find My iPhone provides remote access to lock or erase it, safeguarding your data. To enable this feature, navigate to Settings > [Your Name] > Find My > Find My iPhone.
On your Mac
Enable Gatekeeper and XProtect
Gatekeeper restricts app installations to trusted sources, such as the App Store or signed developers. To ensure its activation, please check System Settings > Privacy & Security and set it to “App Store and identified developers” to strike a balance between security and flexibility.
XProtect, an integrated malware detection tool by Apple, automatically updates without the need for manual configuration. To verify its active status, ensure that macOS is up to date, as XProtect signatures are distributed through system updates.
To enhance cybersecurity, enable the macOS firewall (System Settings > Network > Firewall) to prevent unauthorized incoming connections. For enhanced monitoring and blocking capabilities, consider employing a third-party firewall such as Little Snitch. This firewall can effectively detect and prevent suspicious outbound traffic, which could potentially be utilized for command-and-control communication by zero-day exploits.
Disable Unnecessary Services: Turn off features such as File Sharing, Remote Management if not in use. To do this, navigate to System Settings > General > Sharing.
Implement Strong Passwords and Enable FileVault: To safeguard your data, it is imperative to establish a robust user password. Additionally, enable FileVault (located under System Settings > Privacy & Security > FileVault) to encrypt your disk. This encryption will serve as a protective barrier, safeguarding your data even if an exploit gains unauthorized access.
Utilize a privacy-oriented browser such as Safari, configured with its default settings (Intelligent Tracking Prevention and sandboxing), or a hardened alternative like Firefox, which is designed with stringent privacy settings.
Enable Content & Privacy Restrictions in Safari (Settings > Safari) to block pop-ups and limit cross-site tracking.
Install browser extensions like uBlock Origin (Firefox) or AdGuard (Safari) to block malicious scripts and ads, which are common vectors for zero-day exploits.
Only download applications from reputable sources such as the Mac App Store or verified developers. Refrain from downloading pirated software, as it frequently contains vulnerabilities and exploits.
Disable automatic login: Go to System Settings > Users & Groups and ensure automatic login is off to prevent unauthorized access.
Use tools like Apple’s built in Activity Monitor to watch for unusual processes or high resource usage, which could indicate an exploit.
Utilize Time Machine or an alternative backup mechanism to establish a consistent and encrypted backup system. This proactive approach ensures the ability to restore your system without data loss in the event of a zero-day compromise affecting your Mac.
Device Setup and App Installation
Upon setting up your device as new, install applications one by one, prioritizing those essential for your needs. Thoroughly review the permissions granted to each application before installation. Exercise caution and refrain from granting permissions to applications that do not require those features for their functionality.
If setting up your device anew, I recommend referring to my article and following the outlined steps in addition to those posted by JaCIRT. Maintaining a minimal setup is crucial for effective device management, security, and clarity. After you have done the above, Following the aforementioned steps, it is imperative to regularly back up your device. Utilize encrypted backups via iCloud (Settings > [Your Name] > iCloud > iCloud Backup) or a computer equipped with iTunes/Finder. In the unfortunate event that a zero-day vulnerability compromises your device, you will be able to restore from a pristine backup.
Other Common Sense things
Purchase an up-to-date brand name router, connect it to your ISP’s modem/router and disable the Wifi feature on your ISP’s modem/router as you will be using your more secure and up-to date router for this.
Change the default Wifi Password and admin password on your router. On the router that you have purchased Create a separate “Guest” network for your guests, which will have a separate password from your “main” network. Keep the password for your main network secret.
Change your DNS service from your default ISP to a security focused provider like Quad9 that blocks malicious domains at the source. This will provide improved protection for all devices connected to your router including your smart home devices.
Alexander Lindo 
You must be logged in to post a comment.