What you should know about WhatsApp breach
HACKING a smartphone is said to be dead-easy: it already has all the necessary tools to listen, watch and track your movements.
With a camera, microphone, GPS tracking and internet connection, anyone can see where you are, what you’re up to, who your contacts are, what conversations you had – what emails were sent – and they’d have a fair idea of who your inner-circle is.
Last week, many users of Facebook’s popular WhatsApp messaging service wondered how safe they were when it was reported that a security flaw in its app allowed attackers to install spy software on their targets’ smartphones by exploiting a bug in the app’s phone call function to inject spyware into smartphones.
It worked even if the victim did not answer the call – and there was almost no way to tell whether or not you had been hacked because the attackers would delete it from the call log. Wired carried a story: “How hackers broke WhatsApp with just a phone call” and Financial Times said: “WhatsApp voice calls used to inject Israeli spyware on phones”.
The malicious code used in the attack was said to have been developed by a shady Israeli firm, the NSO Group, which develops a product called Pegasus that can activate smartphone cameras and microphones. The firm’s Pegasus software, which it apparently sold to Saudi Arabia, and previously used to hack activists’ devices, including prominent Emirati human rights activist Ahmed Mansoor and Saudi critic Jamal Khashoggi.
WhatsApp didn’t say how many of the app’s 1.5 billion users were affected, but encouraged all users to upgrade to the latest version of the app.
Paul Ducklin, spokesperson cybersecurity firm Sophos says in a country such as South Africa, where data is expensive, upgrading isn’t a priority.
“We believe very few people were affected by the WhatsApp breach. More worrying is that you need to ask why private companies are able to develop such tools – whether or not it was the Israeli group – and be in possession of it?”
Ducklin says your personal information is worth something to someone – you might not have much in your bank account and you might not be in the public eye or believe that you are of interest to nefarious forces, but your ID, telephone number, credit card numbers, address and even postal code has a value to someone so crooks can “dine on your data indefinitely”.
The lesson, though, is to install an antivirus on all your devices, even if it slows you down slightly.
“We also advise that people slim down their digital exposure. If you’re not using it, uninstall it. You don’t want it lying around. Security is an inconvenience but it’s worth the 2% pain.”
And don’t be lazy about your password selection: don’t use your birth date, the name of your child, dog or student number to access all your accounts. Because once that password has been cracked, hackers know that their victims are likely to have used them elsewhere.
“If in doubt, don’t give it out. In the UK, your postal code is accurate to within a few houses, so when I’m asked I like to give Buckingham Palace’s SW1A 1AA, as a laugh. Once someone has that kind of information, they can find you easily too,” he says.
Consumers are not the victims they make themselves out to be. Ducklin says most people download spyware inadvertently, thinking an app is great but when it suddenly starts sending data they, become concerned.
“If you’re downloading apps, only do so from the app or Google stores. At least, there’s some curation. It’s not perfect, it’s not a super-secure garden where everybody is safe… but it is safer than downloading off random sites.”