What’s up with WhatsApp?
Are the bad guys winning? Or have software designers gotten lazy?
Either way, it’s been a rough year for technology enthusiasts. With each day, another substantial hack appears, and not a run-of-the-mill hack either. We’ve witnessed large and complex hacks this year, all of which suggest the bad guys are winning. And we’re all losing.
I was eating breakfast at a local restaurant last Saturday when another patron dropped by my table and asked me a seemingly simple question, “Is there any way to really secure electronic data?”
In security, we often discuss striking balance. The short answer to the question is yes. Most security practitioners can secure electronic data completely. However, the means to accomplish such an effort would tip the scales far away from usability. We are often in a delicate dance, trying to provide easy access to electronic information and service while safeguarding the desired data.
Nowadays, the best defense is taking security into your own hands.
Be aware, update your software, be stingy with what you share and reveal online, and only use trusted applications and services.
This week, Facebook revealed that their widely popular WhatsApp has fallen victim to an unbelievable attack. The sophisticated phishing operation employed some of the most advanced spyware available. The tool was developed by a private Israeli firm, NSO. NSO has made the headlines before. They designed the Pegasus app, which allowed government agencies to spy on dissidents. Included among Pegasus’ functions are wiretaps, password collection and location tracking.
According to online reports, the hackers compromised WhatsApp using a security deficiency in the software’s calling feature.
WhatsApp is a free messaging and voice-over-IP communication service. The app was released in 2009 and acquired by Facebook in 2014 for $19.3 billion. The service allows users to send text messages, make voice calls, video calls, share a wide-variety of media and, user location. Some consider the application the most popular messaging application in the past several years, with over 1.5 billion registered users. The service previously charged $1 annually for a subscription; however, the fee was eliminated in 2016.
In 2016, Facebook was sued for violating European laws related to data sharing between WhatsApp and Facebook. The app was blocked in China in 2017; in fact, Facebook’s main social media platform has been blocked in China since 2009.
Using NSO’s software (reportedly), the hackers created a “call-out” feature that allowed malicious software to be installed onto an Android phone or iPhone simply by placing a WhatsApp call. To make the issue worse, the user didn’t even have to pick up the call – the hack occurred simply by having the application installed on your mobile device.
The software allows remote access to information stored on mobile devices. Once inside of your device, the hackers have complete access to private messages and location data.
Facebook released an updated version of the WhatsApp on Monday and encouraged the near 2 billion users to update the software immediately. Further, they suggested users update their mobile operating systems as well.
The hack was first observed almost two weeks ago by a lawyer in Europe. A research team examined the WhatsApp and discovered the exploit. Due to the similarity of the exploit tool to others designed by NSO Group, they have been attributed to authoring the malware.
NSO Group stated on Monday that its spyware are licensed strictly to government agencies and it would investigate any “credible allegations of misuse.” They pledged to review the matter aggressively. Whether the malware was written by NSO, if their product was misused or if someone else designed something independently, it’s unlikely that we will know for certain.
The mobile app world is definitely like the wild, wild west. Anything and everything goes, and, given that most cost little to nothing to purchase, users often install scores of the applications. Infrequently, the bad actors are held accountable.
At the moment, it is unknown if the attack is directed or broad. We know that all versions of WhatsApp released prior to Monday are vulnerable. If an organized group of hackers is exploiting the vulnerability, what are they doing with it?
The most likely scenario is profit: the private information will be held for ransom or sold to acquirers of stolen identities.
What should you do?
Well, as I mentioned, Facebook suggests updating the app and the mobile operating system. I reviewed a few phones of users of the app and didn’t notice an update. When I forced the mobile device to visit the update site, the WhatsApp update appeared. So definitely update.
However, let’s ponder how this attack was successful. The application was hijacked via a phone call. I don’t know about you, but I receive numerous “unidentified” calls each day, despite having registered for the Do Not Call Registry.
Don’t answer the calls. I’ve been guilty of answering the calls and working to frustrate the callers. However, given the latest information on this particular threat, answering your mobile phone from an unidentified number could present risk beyond annoyance.
My last suggestion is simple: uninstall WhatsApp. Get rid of it. The native messaging apps for mobile devices have improved substantially and it’s likely that those will address your needs. Unless you have a clear need for the service, I’d balance the equation towards security and eliminate the app completely.
Stay safe, update and backup your data often.