OTTAWA–Roughly 1.5 billion people who thought their private messages were secure woke up to troubling headlines Tuesday.
WhatsApp, a popular encrypted messaging service owned by Facebook, acknowledged it had been targeted by an “advanced cyber actor.” A security flaw allowed that actor to install spyware on targets’ mobile phones, giving it access to location data, private messages and other information.
Here’s a breakdown of what you need to know about the WhatsApp hack and practical steps to protect your own personal information.
What is WhatsApp?
WhatsApp is a messaging and calling application that uses end-to-end encryption, which basically just means a more secure way to communicate with the person you’re trying to reach. When end-to-end encryption works, only the intended recipient of a phone call or message can access that message.
The company was bought by Facebook for $19 billion in 2014, and is popular in India, Germany, the U.K., and many countries in Africa and South America. The New York Times reported in January that Facebook CEO Mark Zuckerberg intends to integrate WhatsApp messaging with Facebook Messenger and Instagram, creating a network of 2.6 billion users worldwide.
That’s a lot of people to hack.
Sure is. The Financial Times first reported Monday night that WhatsApp had discovered a security flaw that allowed an “advanced cyber actor” to compromise users’ mobile phones. The hacker or hackers would simply have to call a WhatsApp user to install the spyware — the target wouldn’t even have to pick up — and gain access to sensitive information like location data, private messages and emails.
The Financial Times reported that the spyware was developed by the NSO Group, a private Israeli company that sells spyware products to governments and law enforcement agencies.
What else is known about the NSO Group?
The NSO Group is a secretive company reportedly founded by ex-Israeli signals intelligence officers. The University of Toronto’s Citizen Lab have rigorously documented the company and “Pegasus,” its main spyware product that can remotely monitor mobile phones. The Pegasus program appears to be what was used to exploit WhatsApp’s security flaws.
The Citizen Lab has documented a long list of alleged abuses of the Pegasus program, including spying on Mexican journalists, a Saudi comedian, and Omar Abdulaziz, a Saudi political refugee living in Montreal.
Abdulaziz used WhatsApp to communicate with Saudi dissident journalist Jamal Khashoggi, who was assassinated in the Saudi consulate in Istanbul last year.
What should WhatsApp users do?
Immediately update the app. WhatsApp pushed out an update on Monday that fixes the exploit used in this hack. After updating, pay attention to developments from WhatsApp and from news outlets as the investigation into the hack continues.
But I’m not a WhatsApp user. Should I do anything?
The single most important way to ensure your personal data is protected is to enable two-factor authentication on all devices and online services like Gmail, Facebook and Twitter, said John Scott-Railton, a researcher with the Citizen Lab.
It’s also important keep all your devices and software up to date — no more ignoring those security patches on your iPhone or putting off downloading the new version of an app. The WhatsApp case “is a good example of why that’s so important,” Scott-Railton said.
People should also be skeptical of suspicious messages and emails and think twice before opening links or attachments from unknown sources.
There are also plenty of free encrypted email and messaging platforms, like ProtonMail and Signal, that are just as easy to use as any regular email or chat client.
Some people also face different threats than others. Depending on your profession — or, in some countries, your politics — you may want to take extra steps to protect yourself. But those are the basics.
This is all quite overwhelming.
It can be. The Citizen Lab has put together a plain-language primer on how to better protect your information online. SecurityPlanner.org asks a few simple questions about your online behaviour and security or privacy concerns, then instantly produces a list of advice on how you can protect yourself.
The U.S.-based Electronic Frontier Foundation also has explainers on how to safeguard your information and, in more extreme circumstances, protect yourself from online surveillance.
The Communications Security Establishment, Canada’s electronic spying and cyberdefence agency, has also tried to be more public with advice on how individuals, businesses and governments can defend against cyber attacks. The new Canadian Centre for Cyber Security publishes security alerts and advisories on its website.
Alex Boutilier is an Ottawa-based reporter covering national politics. Follow him on Twitter: @alexboutilier