WhatsApp has revealed a vulnerability in its system could have allowed hackers access to its users’ phones.A London-based human rights lawyer could possibly be among targets.
WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users, and was orchestrated by “an advanced cyber actor”.
The attack was first discovered earlier this month.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient’s device.
However, the surveillance software would have let an attacker read the messages on the target’s device.
Who did this?
WhatsApp stated that “a select number of users” were targeted by an “advanced cyber actor”, which the Financial Times has identified as the Israeli technology company NSO Group.
NSO Group claims its technology, known as Pegasus, is only used by intelligence and law enforcement agencies.
Critics of the firm, including human rights organisations, have claimed that many of the state agencies it works with are repressive and often target their lawyers and activists.
How do you know if this attack has affected your phone?
There is currently no way to tell if this has affected your phone. However, the attack is expensive and it is unlikely – at the moment – to be carried out by commodity criminals.
According to Citizen Lab, software believed to have been developed by NSO Group has been used to target and persecute political dissidents, human rights defenders, opposition politicians and journalists in 45 countries.
How can you safeguard against the Vulnerability?
The attack is being considered extraordinary by cyber security professionals.
This is not just because it targeted lawyers, who are not usually national security targets and whose communications with those targets – at least in many common law countries – are privileged.
It has caught their attention because there was no way to safeguard against it – not even by training users to spot the dodgy message.
Often cyber attacks require some kind of user input to succeed, whether the user clicks “allow” or “yes” on a pop-up, or follows a link, or downloads and executes a malicious file in a phishing email under the impression that it is innocent.
However, the WhatsApp attack was what was known as a “no-click” attack, meaning there was no user input needed at all – the hackers could just send the voice call, and even if it was not answered, gain access to the target’s phone.
The only protection is to update the version of WhatsApp.
How do I update WhatsApp?
Android
- Open the Google Play store
- Tap the menu at the top left of the screen
- Tap My Apps & Games
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on Android is 2.19.134
iOS
- Open the App Store
- At the bottom of the screen, tap Updates
- If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
- If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
- The latest version of WhatsApp on iOS is 2.19.51
