Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.
This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.
The surveillance software effectively rendered the app’s prized end-to-end encryption redundant as it allowed the attacker to read messages on the compromised devices.
WhatsApp released a fix last Friday and has encouraged all its users to update their apps, but some questions still remain.
In particular, while the app update fixes the issue that allowed the attack in the first place, it is not clear if the update can also remove the surveillance software embedded in already compromised devices.
WhatsApp has described the hackers as “a private company that has been known to work with governments to deliver spyware”, which news outlets have reported is Israel’s NSO Group. Regardless of the parties involved, the ability to defy WhatsApp’s encryption is a scary reminder of the potential impact of a “technical capability” that could be required under the recently enacted Australian encryption laws (except that it has not been kept secret!).