WhatsApp, the world’s most popular messaging service, is in the center of a security storm after disclosing a vulnerability that allows hackers to use its encrypted messaging app to install government-grade spyware on smartphones.
The hackers spread the malware by making voice calls to the phones and planting it remotely – even if the calls go unanswered. And the logs of the calls often vanish so the victims don’t know they have been attacked.
The news is a huge PR setback to WhatsApp, which has made the impenetrable security of its service a key selling point to more than 1.5 billion users worldwide. The company says its competitors only encrypt messages between a user and the app’s company, but its end-to-end encryption service scrambles the voice, text and video messages of both the sending and receiving parties.
The company says its encryption allows people to discuss sensitive personal, political and financial information outside of regular business or government channels. It’s particularly popular in Britain, South Africa and countries ruled by authoritarian regimes.
But the emergence of the backdoor access to WhatsApp’s smartphones shows that people can never fully trust technology to keep their conversations and data private. The vulnerability was discovered earlier this month, and WhatsApp worked with Citizen Lab in Toronto to fix it.
According to the Financial Times, which first reported the vulnerability, the malicious spyware attacks both iPhones and Android phones. Once installed stealthily, the spyware extracts a victim’s emails, messages and location data and activates the phone’s camera and microphone to allow the hackers to eavesdrop on live conversations.
Facebook says WhatsApp automatically updated its apps to protect against the attack. It updated its servers and informed users to update the app manually if they had disabled its automatic updates feature. The phones of several dozen people, including human rights activists and lawyers in London, may have been attacked.
The company and the London-based Amnesty International asked for police and government investigations to identify the attackers.
“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” a WhatsApp representative said.
The spokesman did not name the private company involved, but media reports focused on the NSO Group, a Tel Aviv-area cyber intelligence company that has reportedly developed a powerful spyware used by intelligence and police agencies worldwide.
NSO said in a statement that “under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
But NSO is reported to have boasted about the capabilities of its Pegasus spyware, which has the capability of taking over people’s smartphones, to investors in April, according to the Financial Times. NSO said at the time that it had a record of finding weaknesses in iPhones despite the product’s constant updates.
The company has been linked to the FBI investigation of the 2015 San Bernardino, California, terrorist attack that killed 14 people. The FBI needed assistance to read messages from a shooter’s encrypted iPhone, and NSO is said to have provided it.
In addition, NSO is reported to have sold software products to Saudi Arabia’s government which have been linked to the murder of the Saudi dissident and Washington Post columnist Jamal Khashoggi.
Researchers at Citizen Lab estimate that up to 45 countries use NSO’s Pegasus technology. The researchers said six of those states have used it against dissidents.
The implications of the spyware attack to the technology industry are far-ranging. Phone operating systems may appear secure, but they are part of a huge ecosystem of interconnected apps that is hard to protect consistently.
The WhatsApp vulnerability is embarrassing for Facebook, which is making steel-drum privacy a huge sales point, and to Apple, which claims to offer high levels of privacy and security.
The episode also reflects the ability of governments to use huge financial power to build or buy software that bypasses even the tightest security systems. NSO exists because states are prepared to pay huge sums for software that steals data. While this may be done in the cause of national security and fighting terrorism, it can also spill over into civilian life as the Khashoggi killing highlights.
Little is known about the spyware involved in the WhatsApp breach, and doubts have been raised that even the patch rolled out by the messaging app will be effective. The danger is that other cyber criminals or government-sponsored hackers could exploit the vulnerability.
Above all, these events demonstrate that security threats are mounting rapidly and overpowering defenses that tech titans put up to shield their customers.