NOTE: BEFORE READING THIS ARTICLE, PLEASE UPDATE WHATSAPP. WE’LL WAIT!
Given WhatsApp’s much vaunted end-to-end encryption one might assume that it’s a reasonably safe platform to share private information on. Other than choosing the recipient of the communication carefully, it has always appeared that there’s not much risk of leaks when using this direct messaging service to keep in touch - or to share our live location, our innermost thoughts, even occasionally our financial information.
However, with latest news coming out of Israel, we now understand that WhatsApp’s encryption is not a guarantee against lapses.
First reported by The Financial Times, a surveillance software was inserted on targeted smartphones through a vulnerability on WhatsApp calls. The hack, the British newspaper reported, would allow the hacker to work around WhatsApp’s encryption and read messages.
On Sunday, a UK-based human rights lawyer was allegedly attacked by Pegasus (a spyware) and repulsed by WhatsApp. However, it is unclear how many, if any, other WhatsApp users were successfully attacked by Pegasus. According to the BBC, WhatsApp has acknowledged that the hack occurred and that a ‘select number of users’ were targeted. “Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data,” according to The Verge.
With a single WhatsApp call, the spyware can be installed without a trace. What makes it worse is that the spyware can be installed even if the target does not answer the call. More disturbingly, the missed call often disappears from the call logs. As a result, the victim may not know that they were targeted at all.
The Financial Times added that: “Within minutes of the missed call, the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages or location, and even turns on the camera and microphone to live-stream meetings.”
Hackers infiltrated a still unknown number of phones using a malicious spyware called Pegasus. This code, once installed, can pretty much access any information on your phone, encrypted or otherwise. Pegasus is used to gain remote access to smartphones, and has been used by governments to snoop on journalists. According to WhatsApp: “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.” This is typically expected to imply the NSO Group, the company that developed Pegasus in the first place. Though the NSO Group claims to sell spyware to governments to help fight crime and terror, the most charitable reading must admit that its spyware lends itself to abuse by governments of questionable morality.
The NSO Group has largely operated under the radar before 2016. While they have built up a formidable reputation on the back of their ability to break through Apple’s rigorous privacy and security measures, last week’s attack shows that WhatsApp is a new target. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society,” WhatsApp said in a statement.
This was a zero-day vulnerability (discovered by developers after the attack, resulting in zero days to fix the issue). WhatsApp has already resolved the issue with the latest version rolled out, and urges its users around the world to update their apps.
The BBC reported that “journalists, lawyers, activists and human rights defenders”, most specifically human rights lawyers, were the most likely targets of this weekend’s attack. However, all WhatsApp users who are not using the latest version of the app could be vulnerable. Please therefore update your app today.
This particular hack has, in all probability, not impacted your phone (unless you are a human rights activist, politician, journalist or lawyer). This attack seems to have targeted major players around the world. However, the attack has revealed vulnerabilities in WhatsApp's systems.
If you are still using any of these versions of WhatsApp, please update right away to the latest version.
WhatsApp for Android prior to v2.19.134
WhatsApp Business for Android prior to v2.19.44
WhatsApp for iOS prior to v2.19.51
WhatsApp Business for iOS prior to v2.19.51
WhatsApp for Windows Phone prior to v2.18.348
WhatsApp for Tizen prior to v2.18.15
Malware of any kind is dangerous to all of us. Keep yourself up-to-date and informed, and take all due action to protect your data and your privacy. Stay safe!
Writing credit: Authored by Prithiv, a Mobicip researcher who writes about the effects of technology on health and well-being.