WhatsApp's end-to-end encryption has been rendered useless by a flaw in the app which allowed hackers access to a target device and the ability to install surveillance software.
The vulnerability was allegedly created by Israeli security firm NSO Group, and apparently targeted a 'select number' of users.
WhatsApp told BBC that it was the first to spot the flaw, and here's how it works: a hacker would ring the target device using the voice call function. The victim doesn't even need to pick up – the sole moment of dialing a device is enough for the hacker to deliver the payload and install the surveillance software.
After that, the attacker could even delete the call from the call history, although it wasn't clear if this would happen in every instance.
Some organisations have been notified, including the US Department of Justice.
NSO Group responded to the allegations of it being behind the program, but remained a bit vague in its statement:
"NSO's technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.
"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation."
We still don’t know who was targeted, or who used the surveillance software. We do know that WhatsApp patched the vulnerability.
"The risk is that once the Spyware (Pegasus) is installed on the victim’s phone, the attackers gain complete access to all of the information on that phone (such as geo-location, contacts, messages, mail, and other data). In simple words, they can monitor everything the victim is doing, therefore complete violation of privacy,” commented Assaf Dahan, senior director, head of threat research at Cybereason.
“Potentially any WhatsApp user can be vulnerable to this attack. This zero day does not require any interaction from the user, and therefore is very difficult if not impossible to avoid. Since this Zero day is attributed by the researchers to the NSO Group, it’s likely used surgically, only against specific people of interest and not as a mass infection payload. Assuming that the latest version published by WhatsApp fixes the buffer overflow vulnerability, users who install the latest version will be protected. That being said, there might be other Zero days exploits in the attackers’ arsenal that haven’t been discovered yet, that might be used against WhatsApp or other mobile apps."
Image Credit: Endermasali / Shutterstock