Last week WhatsApp revealed a security breach in their encrypted, over the top (OTT) service.
The vulnerability allowed hackers to exploit the WhatsApp calling feature, implanting malicious code on the mobile devices by placing a voice call to the victim. It’s been suggested that victims may not have needed to answer the incoming call for the code to be successfully deployed on their device.
The code allegedly allows for control of the mobile device operating system, giving access to data, location information and the device microphone.
Eyes are being cast to NSO Group, an Israeli cyber-surveillance company (best known for their Pegasus product) who may have developed the spyware, but NSO stated that they exclusively provide their technology to authorized government agencies and that the technologies are solely for the purpose of fighting crime and terror.
NSO Group have previously been named in law suits relating to eavesdropping in the United Arab Emirates and Mexico, and their spyware was implicated in the murder of Saudi journalist Jamal Khashoggi.
One of the targets was a human rights lawyer who is advising on a case against NSO but, despite this, NSO have said they would never be involved in the identification of targets or the execution of such an attack.
Holding NSO to account is as pointless as holding firearms manufacturers to account to atrocities committed, unless a smoking gun can be laid at their feet.
Collaboration between WhatsApp and Citizen Lab, a University of Toronto academic security group, helped identify the attempted attack on the lawyer, and Amnesty International may file a petition at the district court in Tel Aviv, demanding that Israel withdraws NSO’s export license, citing a breach of obligations under international human rights law.
The US Department of Justice has been notified by WhatsApp to assist in the investigation, though it isn’t yet known how many of the 1.5 billion OTT service users may have been affected or who the perpetrators are.
This is a big blow to WhatsApp who have previously cited their security and encryption as a benefit of using the service.
Troubling Times for Providers and Consumers
The news about WhatsApp being compromised comes at a time when traditional voice usage remains in serious decline due to use of OTT services. This draws attention to the significant risks surrounding network, app and device security.
The associated decline in revenues also means that telcos have less money to invest in security and it begs the question of who should ultimately be held responsible. I can hardly think it reasonable that telcos should be left to foot the bill for security flaws they did not create, but consumers have a long history of holding their telecoms provider responsible for failings that manifest on their device, whether it is the operator’s fault or not.
If you’re a WhatsApp user, no matter how low you perceive the risk to you, you should update the app on your devices.