Encryption is back in the headlines today after it was revealed that a major vulnerability in the popular WhatsApp encrypted messaging service meant that hackers were able to remotely install surveillance software onto smartphones and other devices.
The news comes as a big blow to the Facebook-owned service which has built its reputation on providing a secure communication platforms.
Doubts have persisted about just how secure it was ever since the service was sold to Facebook in 2014. Rumours that WhatsApp’s end-to-end encryption have persisted and recent reports that it is going to be rolled together with Instagram and Messenger into a new service have not helped quell concerns.
Despite concerns, it has remained the world’s most popular encrypted messaging service with journalists, campaigners, and even politicians across the world using it to communicate securely despite many also representing governments seeking to undermine it.
This is not the first time a security flaw has been identified in WhatsApp. But this latest revelation is the most severe by some distance.
How the latest WhatsApp security flaw worked
This new security flaw worked when hackers used WhatsApp calling function to ring a user’s device. Regardless of whether the call was answered, the connection allowed hackers to download surveillance software onto the receiving device. The record of the call was then automatically deleted from the device.
According to WhatsApp’s security briefing, “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
Professor Alan Woodward, a cyber-security expert at the University of Surrey, this is a “pretty old-fashioned” type of hack.
The surveillance software installed enabled hackers to read encrypted content on WhatsApp which they would never have been able to decrypt if they had just intercepted it.
To bypass encryption on services like WhatsApp, hackers have to compromise at least one of the devices involved in the encrypted communication. This flaw enabled them to do exactly that.
It has not been formally confirmed who was responsible for the attack, but the Financial Times (£) is reporting that it was the work of the NSO Group. This is the Israeli security firm which is believed to have developed software capable of cracking the iPhone as well as being linked to a number of other major hacks around the world.
WhatsApp has only admitted that “the attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”
The targets of the hack are also unclear. But, as Ahmed Zidan from the Committee to Protect Journalists, a not-for-profit campaign group has said, “Journalists, lawyers, activists and human rights defenders” are most likely to have been targeted.
How WhatsApp handled the security breach
According to the BBC, the flaw was first identified by WhatsApp’s own security team. They made the discovery earlier this month and quickly advised selected security vendors, the US Department of Justice, and also a number of human rights groups who use the service.
This is to their credit of course, but WhatsApp have still come in for some criticism from users for the way they fixed the problem.
The fix was rolled out last Friday and yesterday, WhatsApp went public with a statement encouraging all of their estimated 1.5 billion users worldwide to update their apps as a precaution.
However, the update itself is far from explicit about the severity of the issue it is solving. Listings vary depending on the device you use, but in general, it simply states that it is ‘fixing bugs’ rather than a serious security vulnerability.
This is rather disingenuous of WhatsApp but given the huge coverage that the security bug has now received, no-one can really accuse them of trying to cover the issue up.
Staying safe and secure online
This new WhatsApp security flaw does highlight the fact that even encrypted secure messaging services like WhatsApp can fall victim to hackers.
While the end-to-end encryption itself remains uncompromised, all software has vulnerabilities and hackers are often as well-equipped to identify and exploit this as anyone.
This is one of the reasons why relying on the security of apps like WhatsApp alone is fraught with risk. This is especially true if you are someone likely to be targeted by hackers or state surveillance operatives.
There are a whole range of online security steps that people should be taking to keep their online data secure and private.
This includes using encrypted messaging services like WhatsApp and Telegram, but also using VPNs to encrypt all your online data, using password managers and changing passwords regularly, and protecting mobile devices in the same way as computers.
There is no silver bullet that will guarantee online security in all situations. But simple steps like these make you far less likely to fall victim to attacks. And as long as companies like WhatsApp are transparent when issues like this arise, the chances of your data being compromised remain slim.