WhatsApp was hacked. Now what?
You might have heard a few days ago that WhatsApp was hacked. What does this mean to you, likely a WhatsApp user? Should you use something else?
1. The WhatsApp hack
The news is that some people found a very clever WhatsApp hack that allows them to call someone's phone via Whatsapp and take over their phone. This is obviously very concerning and everyone should update their Whatsapp to the latest version which fixes the vulnerability.
This BBC article is an excellent resource on the problem that covers a lot of ground that I wanted to write about. Read it! https://www.bbc.com/news/technology-48282092
2. The Bloomberg opinion
Bloomberg wrote an egregious opinion piece on the matter titled "WhatsApp’s End-to-End Encryption Is a Gimmick": https://www.bloomberg.com/opinion/articles/2019-05-14/whatsapp-hack-shows-end-to-end-encryption-is-pointless
They later changed the title to the much more cautious "End-to End Encryption Isn't as Safe as You Think". Bloomberg's tweet said "WhatsApp's hack shows end-to-end encryption is largely pointless". This was an incredibly bad reading of the situation and irresponsible toward Bloomberg's layman readers. According to Bloomberg's logic, you should not exercise, because you could get hit by a car.
ITWire had discussed in detail how bad Bloomberg's reporting was on this topic, as well as on security in general (this is entertaining): https://www.itwire.com/security/bloomberg-roasted-for-terming-whatsapp-end-to-end-encryption-a-gimmick.html
Bloomberg has peddled scaremongering security stories that have not been backed by evidence, have been repudiated by quoted sources and have been criticised heavily by security experts. They have to do a lot of work to gain back trust.
3. Is it safe to use WhatsApp for private messaging or what?
TLDR: Yes, mostly. Don't worry about it. Just update the software.
Unless you are a dissident in a repressive country or a journalist exposing government conspiracies. If a government is willing to spend big money and effort to spy on your communications, you have different threats from my expected audience. If you fall into that category, you may need to take a lot more measures than just choosing the right app. End to end encryption is still a very good thing to have.
Details:
At a very basic level, there are three levels of messaging privacy:
- End to end encryption is a very good feature of Whatsapp that benefits user privacy. It transmits messages from sender to receiver in an encrypted format and only their phones of these parties can decrypt the messages. This means that even WhatsApp (company owned by Facebook) can't read your WhatsApp messages, let alone other people. Other products offering similar capabilities include (but are not limited to) Apple iMessage, Signal and Threema. Some of these apps allow you to send SMSes to recipients who do not have the app on their phones - this has no/minimal privacy benefit. Choosing between these apps for the most private messaging requires another article in itself, that will need to consider technology as well as philosophy.
- Messages on Facebook Messenger and Skype, are encrypted only in transmission and can be read by their companies as they are accessible as clear text in their servers. These messages cannot be snooped by third parties during transmission, so there is some benefit.
- SMSes have no protections whatsoever. They are transmitted without encryption and your phone carrier can read your SMSes if they want. Likewise SMSes are easier to snoop on.
End to end encryption does not protect against:
- someone who has access to your unlocked phone
- someone who sees the message that has appeared on the phone screen
- the message recipient sharing your message with other parties
- someone who has hacked your phone.
The current controversy surrounds #4. End to end encryption will not protect against someone who already has compromised your phone, because the messages are visible on your phone.
Exercising for your health will not protect you from getting hit by a car.
All technology is imperfect and at risk of vulnerabilities. We frequently find that vulnerabilities in completely random programs could enable an attacker to gain control of the machine of a user running the vulnerable program. WhatsApp was found to have a vulnerability this time. Next time it may be another app or even operating system. Microsoft has the famous Patch Tuesday, typically the second Tuesday of every month where they release patches. There are security enthusiasts who energetically comb through the patches to see what vulnerabilities have been fixed in Windows and other products (and thus identify the vulnerabilities). Some products are more vulnerable than others - Flash, the program that was once omnipresent for playing videos on browsers, is probably the most notorious. The situation was so bad that Apple disallowed Flash on the iPhone while browsers such as Chrome and Firefox slowly followed suit in disabling the Flash plugin as a security measure. Whatsapp had a very serious vulnerability, but it is far from Flash.
Whatever you do, don't use this as a reason to switch from WhatsApp to SMS - that is a really poor idea.
Cybersecurity Evangelist | m0rpheus.eth | CISSP GCFA | SecOps | SOC | DFIR
5 年Very nice article of Whatsapp issue. For those people working for special organizations should consider use other communication channel or more secure IM.?
SVP at Comforte AG, Empowering organizations to effectively secure data | Data Protection | Data Privacy | Compliance | Tokenization |
5 年It never was secure
Manager, Information Security and Cloud Risk at PwC
5 年Magda CHELLY, Ph.D, CISSP?