Targeted WhatsApp attack fixed but privacy still at risk, experts say

May 14, 2019 | News

A security message is seen on a WhatsApp screen in this illustration photo April 6, 2016. (REUTERS/Thomas White)

Raisa Rahim

WhatsApp, a popular messaging app that brands itself as “simple, reliable and secure,” confirmed a targeted attack on its system allowed hackers to surveil certain devices.

The Facebook-owned company discovered the spyware that was installed via the audio call feature earlier this May, according to a spokesperson, who wasn’t authorized to be named, in the Financial Times and reported by the BBC.

An update that fixed the vulnerability in the app was released Friday.

In an emailed statement to Humber News, the Canadian Centre for Cyber Security advised Canadians using the app to update to the latest version immediately.

The unnamed WhatsApp spokesperson indicated the attack “had all the hallmarks of a private company that has been known to work with governments to deliver spyware,” and has the ability to hijack phone operating systems.

The Financial Times were the first outlet to report the incident and they identified the NSO Group as the perpetrators. The Israeli technology firm specializing in cyber-intelligence has made products for Middle Eastern and Western intelligence agencies in the past.

“The NSO Group develops spy and malware applications and sells them to other governments and intelligence organizations,” said Francis Syms, Professor of Cybersecurity at Humber College.

The NSO developed a similar spyware program named Pegasus, which had the ability to capture data through the microphone and camera of a mobile phone, as well as location data.

Research has suggested the program was used to spy on the late-Saudi Arabian journalist, Jamal Khashoggi, according to Amnesty International.

“I feel a little bit worried about our sense of privacy because we use these apps every day of our lives and we assume that we are protected,” Syms said.

A demonstrator holds a poster with a picture of Saudi journalist Jamal Khashoggi outside the Saudi Arabia consulate in Istanbul, Turkey, Oct. 25, 2018. (REUTERS/Osman Ors)

WhatsApp usually relies on end-to-end encryption to protect users’ messages, but that wasn’t enough to protect it from Pegasus — the spyware could access messages before they were encrypted.

The spyware would know what a person is typing and was able to access every button pressed on a device before being encrypted, even when using a VPN for protection, Syms said.

A similar attack took place on Facebook in between July 2017 and September 2018, when hackers exploited a feature allowing users to view their own profile from a public perspective, Guy Rosen, vice president of product management at Facebook, said on Facebook Newsroom.

More than 29 million users’ data was compromised and stolen as a result of the security breach, which was fixed two weeks after being discovered, Rosen said.

Rosen also said Facebook was cooperating with the FBI to investigate the attack.

“It is safe to assume that anything that is stored in your device is accessible through the spyware,” Syms said.

The use of these programs increasingly makes it difficult for people to communicate safely, he said.

People used Blackberry Messenger on their mobile phones in the past, but then Blackberry began giving access to governments and tainted their privacy standards, Syms said.

Now a similar trend is occurring with other messaging apps that people once assumed were secure, he said.

“It’s concerning but I’m not surprised,” Syms said.