Facebook-owned WhatsApp's revelation of a security flaw allowing hackers to inject spyware on smartphones raised fresh concerns about the security of the mobile ecosystem. Here are five key questions and answers:
What happened to WhatsApp? The security hole in the WhatsApp messaging app could enable an attacker to inject malware to gain access to Android or Apple smartphones.
WhatsApp patched the flaw this week after being informed that the spyware was being used to track human rights activists and lawyers.
Security researchers believe the attackers used the powerful Pegasus spyware from Israel-based NSO Group. According to a recent analysis of the software by the security firm Lookout, Pegasus can "subvert" the device's security and "steals the victim's contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device."
The infection could take root with a simple call through WhatsApp. To make matters worse, victims may not know their phones were infected because the malware allowed attackers to erase call histories.
Who is to blame? While the flaw was discovered in WhatsApp, security experts say any application could have been a "vehicle" for the spyware payload.
"We have not yet been able to write software that doesn't have bugs or flaws," said Joseph Hall, chief technologist for the Center for Democracy & Technology, a digital rights group.
Hall said the encryption in WhatsApp was not broken and that "Facebook's response was exceedingly fast."
Is encryption still worthwhile? Encryption remains an important feature by establishing a secure "tunnel" between two parties that verifies their identities, Lueck noted.
"Encryption isn't important just for privacy, it's important for trust," he said.
Encryption used by WhatsApp and other messaging applications prevents eavesdropping on messages and conversations but does not protect against an attack that gains access to the device itself, researchers note.
"End to end encryption does nothing to protect against attacks on your endpoint, true. And seatbelts and airbags do nothing to prevent your car from being hit by a meteorite," tweeted Matt Blaze, a Georgetown University computer security expert.
"While neither protects against every possible harm, they both remain the most effective defenses against very common harm."
Dickson said that while no encryption is foolproof, the only way to completely avoid hacking would be to avoid electronics entirely: "You could use guys on horseback."
Should I worry about being attacked? Citizen Lab, a research center at the University of Toronto, said in a 2018 report that it found Pegasus spyware infections in 45 countries, with 36 "probable government operators."
NSO maintains it delivers its software for legitimate law enforcement and intelligence purposes. But the Toronto researchers said it had been obtained by countries with "dubious" human rights records and suggested it may have been used by Saudi Arabia to track and kill dissident journalist Jamal Khashoggi.
Citizen Lab researchers wrote in the Globe & Mail that they "unearthed at least 25 cases of abusive targeting of advocacy groups, lawyers, scientists and researchers, investigators into mass disappearances and media members."
Do governments need better digital tools?
The revelations come as governments seek better tools to track criminals and extremists using encrypted messaging. An Australian law requires tech giants to remove electronic protections and help with access to devices or services.
Law enforcement agencies have complained of "going dark" in the face of encrypted electronic communications as they investigate serious crimes like terrorism and child sex offenses.
Comments
Comments are closed.