Facebook-owned WhatsApp, the international OTT messaging and voice-calling platform, said on Monday that it had released a patch to fix a vulnerability in its system that could allow hackers to implant spyware in mobile phones remotely, just by placing a call to the phone, even if that call is missed. The move came after reports that such a security breach did occur.
The Financial Times identified the entity that caused the breach as NSO Group, an Israeli company that designs spyware. The newspaper stated that the targets of the attack included a London-based lawyer who is an adviser on a case that accuses NSO of providing the functionality to spy on a Saudi dissident, a citizen of Qatar and a group of Mexican journalists and activists.
It is not clear to what extent the remote implantation of the software allowed for actual access to private data, since WhatsApp released the patch very quickly. According to news reports, NSO denied the accusation and stated that it “would not or could not use its technology in its own right to target any person or organization, including this individual,” referring to the London lawyer, whose name has not been published in connection with this incident. NSO further said that its technology is licensed to governments “for the sole purpose of fighting crime and terror” and that NSO has no role in deciding how and against whom those governments use it.
In addition to fixing the vulnerability, WhatsApp said it urges users to update to the latest version of the app, “out of an abundance of caution.”
WhatsApp is used by some 1.5 billion people around the world, so the potential for harm is obviously very great if weaknesses such as this one occur, and even greater if they go undetected for longer periods than this one. WhatsApp has proudly advertised its end-to-end encryption, so it probably comes as a big surprise for most users that this attack was even possible. The nature of the vulnerability, according to reports, was the phenomenon of buffer overflow, in which excess data residing in a temporary storage location is overwritten to an adjacent memory address. The malware or spyware injects code that causes a buffer overflow, and then exploits the data that is moved out of the encrypted area.
We think mobile operators should be aggressively using this story in their marketing campaigns. WhatsApp has long been eating into their core businesses, first with text messages and now with VoIP calling and enhanced messaging to send video and documents. Now that a frightening vulnerability to invasions of privacy has been discovered, MNOs could benefit from reminding their customers and potential customers that cellular mobile telephony is still the safest option, and to beware of promises about encryption by OTT players.
Of course, the networks of mobile operators are by no means perfect; they, too, could be breached by sophisticated software. However, at the very least, the relatively local nature of a mobile network provides some assurance that global bad actors will not target them but instead go after an OTT that is more or less present everywhere. It is, of course, also important for MNOs to keep on top of network security, and they are well advised to do so and advertise that fact. An invidious comparison with WhatsApp, at least at the present moment, will likely be very effective in terms of public relations. Today, WhatsApp says it has fixed the breach; tomorrow, however, others may be discovered and exploited.