Someone passed a joke by me today that tried to make light of the fact (pun intended) that “smart” electronics like phones and televisions might be collecting your private conversations.

The joke was to not worry since “your vacuum cleaner has been gathering dirt on you for years”.

My humorless response was two-fold.

1) Evil maid is a long-standing canon of threat modeling. Of course any “cleaning” device you allow should be in the category of services that could abuse narrowly-defined access grants to violate confidentiality. Pro-tip: evil maid does NOT mean physical access only.

2) Laser-guided cleaning robot vacuums have long been known to be a vector for acoustic monitoring, as demonstrated two years ago. Any device with light detection and ranging (Lidar) sensors could be manipulated for sound collection, despite having no microphone. Their “LidarPhone” used AI to match and identify parts of speech (numbers) with 90% accuracy. It also identified previous speech (television shows) from a minute’s worth of recording with more than 90% accuracy.

This 2021 WellGo USA film has several interesting twists.

Dramatically constructed based on a true story: as civil war rages in Mogadishu, rival North and South Korean diplomats are left trapped. With no aid from either government, their only shot at survival may require uniting with bitter adversaries to escape.

An obvious way people are made happier is when they have the trust to build connections and be more social (even misery enjoys company). That’s the underlying wisdom of this true story.

I found it particularly interesting the North Koreans are depicted as competent, professional and coldly rational or calculating. The South Koreans are depicted as the opposite being incompetent, unprofessional and mostly emotional or moral feelings. I’ve reflected on this before given another movie from South Korea.

It’s also completely different to how Americans typically portray the two sides (trying to frame North Koreans as incompetent and emotional), which also reminds me of a presentation I gave called “Dar-win or Lose“: the Cuban Missile Crisis gives critical insight into why Big Data Platforms are doomed (led by coldly rational management instead of moral feelings).

There’s a buried lede in the recent CitizenLab report about Catalans targeted by Spanish government spyware: an overly broad dragnet model.

In 2019, WhatsApp patched CVE-2019-3568, a vulnerability exploited by NSO Group to hack Android phones around the world…. […] The spouse, key staff members, and close associates of Carles Puigdemont (MEP, JUNTS) were all targeted…. We count up to eleven individuals that fit this category. For example, Marcela Topor, his spouse, was infected at least twice (on or around October 7, 2019 and July 4, 2020).

This reminds me of news from 50 years ago.

…Gallagher’s concerns were being aired just as FBI wiretaps and bugs targeting Martin Luther King were believed to have violated the privacy rights of over 6,000 people by 1968.

In addition to spying to everyone around a person of interest, the method used by Spain is technically interesting because software patching usually diminishes with degrees of separation from a target.

Does everyone in your circle of family and friends update regularly? They should.

The WhatsApp CVE-2019-3568 cited above was a particularly critical buffer overflow — rated by some as CVSS 9.8 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It led to unauthenticated remote access.

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.

It was just one out of seven overflow vulnerabilities disclosed by WhatsApp that year alone!

What do I mean by update regularly? This official vulnerability notice for WhatsApp was published 14 May 2019. I tried my best to warn at that time…

Facebook’s “secure” messaging app has been found vulnerable to compromise by a simple call.

That makes timing of the above October 2019 and July 2020 infections even more noteworthy because exploits happened many months late.

Could a simple patch within a month of notice (customary turnaround given the CVSS 9.8 rating) blocked the attacks on a politician’s spouse? And more importantly perhaps would a politician’s spouse have updated quickly?

It seems WhatsApp security marketing and promotion gave everyone a false sense of confidence.

In other words, here’s the real twist to this otherwise routine story, which should be reported far more widely. On April 11, 2019 a disgraced and fired former CSO of Facebook went on tour to promote WhatsApp as “the most privacy enhancing” product of all time.

And here’s a pro-tip about encryption: It doesn’t do anything to protect privacy when its application opens up a giant vulnerability giving open access to the system it runs on. Facebook (e.g. WhatsApp) thus may be recorded as the most privacy-destroying software in history because of its deceptive claims about safety.

Their ex-CSO could have been warning about the litany of security vulnerabilities in software that makes it an inherently untrustworthy communication channel, requiring careful management and maintenance — WhatsApp being no exception. That’s normal security professional advice (again, as I warned in May 2019).

Instead it seems overconfidence and bluster went unchallenged until far too late, a story all too familiar for those who know what’s going on behind the scenes in Silicon Valley.

For nearly a decade now and certainly since 2015 I’ve warned Spanish-speaking officials (among others) to ignore encryption puffery — not to trust WhatsApp for communication.

Given these technical details the political part of the story that seems to get lost in the news is that Facebook has strong ties with Russia, Catalan separatists had strong ties with Russia, and so… Catalans using Facebook were spied on by Western intelligence because Facebook (like Russia) is so awful at real security.