WhatsApp used to install surveillance malware bypassing encryption

14 May 2019

In the beginning of May, WhatsApp discovered that the service was used to install a sophisticated surveillance malware on an unknown number of smartphones. The hackers used the security flaw in WhatsApp’s voice calling function that enabled them to run ‘a remote code execution via specially crafted series of secure real-time transport protocol (SRTCP) packets sent to a target phone number’. The infection by the malicious code would happen even if the call had not been answered. The vulnerability enabled hackers to read messages on the target's device with interception tools  bypassing the end-to-end encryption used in WhatsApp.
The scale of infected devices is unknown yet, but researchers claim the attack targeted  a small number of human rights activists. The surveillance software was attributed by the Financial Times to the Israeli NSO Group, famous for its Pegasus program used by some governments to intercept the communications of human rights activists. However, the NSO Group denied its involvement in the attack. WhatsApp encouraged people to upgrade to the latest version of the app on Android, iOS, and Windows phone devices.



 

Explore the issues

Encryption refers to the scrambling of electronic documents and communication into an unreadable format which can be read only through the use of encryption software. Traditionally, governments were the only players who had the power and the know-how to develop and deploy powerful encryption in their military and diplomatic communications. With user-friendly packages, encryption has become affordable for any Internet users, including criminals and terrorists. This triggered many governance issues related to finding the right balance between the need to respect privacy of communication of Internet users and the need for governments to monitor some types of communication of relevance for the national security (potential criminal and terrorist activity remains an issue).

Consumer trust is one of the main preconditions for the success of e-commerce. E-commerce is still relatively new and consumers are not as confident with it as with real-world shopping. Consumer protection is an important legal method for developing trust in e-commerce.

Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss. 

Yet, when the Internet was first invented, security was not a concern for the inventors. In fact, the Internet was originally designed for use by a closed circle of (mainly) academics. Communication among its users was open.

Cybersecurity came into sharper focus with the Internet expansion beyond the circle of the Internet pioneers. The Internet reiterated the old truism that technology can be both enabling and threatening. What can be used to the advantage of society can also be used to its disadvantage.

 

The GIP Digital Watch observatory is provided by

 

 

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top