27 September 2023

What’s up with WhatsApp? The importance of updating your app

Start the conversation

Patrick Howell O’Neill* says anyone who has WhatsApp has been urged to update to the latest version after a new vulnerability was disclosed.

Everyone with WhatsApp on their phone should update to the latest version of the app as soon as possible, the company said last week.

Used by 1.5 billion people around the world, the Facebook-owned messenger app disclosed a vulnerability that allowed hackers to remotely install spyware on iOS and Android phones by placing voice calls on WhatsApp.

The latest update is said to fix the flaw and secure the app.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman told CNBC.

The WhatsApp vulnerability is a “zero click zero day” — a previously undiscovered vulnerability that can infect a target’s phone with no action from the victim.

Most previously discovered vulnerabilities of this kind required the victim to click a link to be infected.

With no need to click anything or make any mistakes in order to trigger the attacker’s success, being targeted may be almost a fait accompli.

The difference here is that the Israeli firm believed to have created the exploit, NSO Group, appears to have been caught.

These kinds of vulnerabilities are particularly valuable — and expensive — and have been heavily marketed by NSO Group for at least the last year.

(NSO Group has so far not denied that it’s behind the attack.)

WhatsApp and an increasing number of messenger apps offer end-to-end encryption.

The NSO exploit gets around that protection by infecting your phone and accessing information before it’s encrypted.

This does not mean end-to-end encryption is useless, as some hot-take artists have suggested.

After all, NSO exploits are expensive, highly targeted, and have a limited shelf life that ends as soon as the vulnerability is patched, as WhatsApp says it did last week.

As opposed to targeted attacks, end-to-end encryption protects against mass eavesdropping.

This does mean that end-to-end encryption is not a complete panacea that would solve all possible cybersecurity problems — which is an idea common sense and industry experts told us a long time ago.

There is no such thing as a perfect solution, but that doesn’t mean the solutions we have are anything close to useless.

The best course of action for users is to make sure auto-update is on for your iPhone, iPad or Android devices.

Turning on automatic updates for both apps and the operating system is one of the easiest and most effective ways to secure your device as quickly and permanently as possible.

Updating and being aware of threats is important, but so too is keeping a healthy perspective.

These exploits cost a lot of money to develop and buy.

We don’t know how many victims there are, but history and common sense tell us the exploit is being used very selectively to target a small handful of unfortunate individuals and that you are almost certainly not among them.

If you do think you were being targeted based on those indicators of compromise, contacting a group like the Electronic Frontier Foundation or CitizenLab may be a smart next step.

This hack, first reported by the Financial Times on 13 May, was used to target a UK human rights lawyer who reported suspicious behaviour — strange WhatsApp calls from Sweden — to the human rights and technology group CitizenLab.

From there, a warning was issued to WhatsApp, according to a report in Forbes.

The exploit appears to have worked but was noticed due to a series of early morning international voice calls.

NSO Group is a company made up largely of Israeli intelligence veterans which develops hacking products to sell to governments around the world.

They’ve been at the centre of an unprecedented spotlight in the last few years because their products have repeatedly been found to target human rights activists, lawyers, journalists, and even children.

Each time, NSO has claimed they are not responsible for what their customers do.

The human rights lawyer targeted in the UK was advising Mexican journalists who are suing NSO Group for hijacking their phones, Forbes reported.

* Patrick Howell O’Neill is a reporter for Gizmodo. He tweets at @HowellONeill.

This article first appeared at www.gizmodo.com.au

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.