PRIVACY CONCERNS OVER DATA CONTINUE TO RISE
Over the years, as phone hacking becomes a more common issue, there is a lot of talk about protecting yourself from being a victim. For example, we are told not to download attachments or click links sent from people who we do not know, or to use strong, impenetrable passwords. The application WhatsApp prides itself on being one of the rare applications that has end to end encryption security to their 1.5 billion users worldwide. The app features text messages, group chats with up to 256 people, the option to use the app on the web or on your desktop, voice calls, video calls and document sharing. The website indicates to its users that “Some of your most personal moments are shared on WhatsApp, which is why we built end-to-end encryption into the latest versions of our app. When end-to-end encrypted, your messages and calls are secured so only you and the person you’re communicating with can read or listen to them, and nobody in between, not even WhatsApp.” Individuals and businesses would use this app as it provided more secure and safer communication than other available apps. Well, this was the case until a new threat cropped up on Tuesday after reports surfaced that hackers were using WhatsApp to gain access to phones even if the user did not do anything to allow it.
THE HACK
The Financial Times reported that Israeli-made surveillance spyware called Pegasus was installed on phones by ringing up targets using WhatsApp’s call feature. A company called NSO Group developed a WhatsApp exploit to steal data from targeted phones. The software was installed even if the user did not pick up the call, and the calls often disappeared from the call logs. This was an unusual occurrence, as most hacks come from data leaks, or phishing attempts – and these usually focus on making money. Credit card data, passwords or banking information is then used to make the hackers money.
But in this case, a WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.” “The bad thing about this vulnerability, [which] is very different from the other vulnerabilities, is that normally to install the spyware on any device you need some user interactions,” said Iman Sharafaldin, a cybersecurity researcher at the Canadian Institute for Cybersecurity in New Brunswick. That user interaction is something like clicking a link from a malicious email or SMS message, but Sharafaldin said that “in this case actually you don’t need any of them.” The software, called a “no-click attack,” was instead installed “remotely” – without any input from the user.
“The attack was also very stealthy, given that it required no user input (a no-click attack) and allowed hackers to access target devices discreetly,” Andrew Tsonchev, director of technology at AI firm Darktrace, said in an email.
“It challenges our expectations of which platforms are secure and which are not.” The company could not say how many people might have been affected, but officials believe only a “select number of users were targeted through this vulnerability by an advanced cyber actor.” It is reported that the WhatsApp bug was being exploited to target only a small number of high-profile activists and political dissidents, so most people would not have been affected by any of this in practice.
Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, stated “For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.” Still, WhatsApp users are urged to update their app; a patch to fix the security
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab said, “This incident makes it abundantly clear that anyone with a phone is impacted by the kind of vulnerabilities that customers of these companies are slinging around. There’s a reality here for all of us.”
HOW TO PROTECT YOURSELF
According to Business Insider, while WhatsApp users cannot check whether their device was affected, there are certain red flags people can spot that may indicate a mobile device is being manipulated by a third party. Domingo Guerra, a mobile-security expert for the antivirus-software maker Symantec stated that our smartphones “could be the perfect spy tool. It’s got cameras front and back. It’s got microphones. It’s got GPS, so your location, your calendar … But that data is no good to anyone trying to spy on you if it stays on your device. So whatever the device is recording or collecting, it needs to be transmitted back to the attacker.”
To protect yourself and the sensitive data on your phone from his hack, it is advised to do the following:
- Update your WhatsApp;
- Restrict any application from accessing your camera and microphone, in your Settings;
- Delete messages with sensitive date, for example if you shared a password over a text or on another app;
- Look out for signs of whether your phone is infected such as a spike in battery use or data usage. The way that spyware works is they disable the deeper sleep mode and they constantly spy on you, meaning they are constantly using battery power and data; and
- Get monitoring software such as a Lookout app.
THE LAW – Unauthorised access
It is against the Law to access another person’s data and personal information. Pursuant to section 308B of the Crimes Act 1900 (NSW):
“Access to or modification of data, or impairment of electronic communication, by a person is “unauthorised” if the person is not entitled to cause that access, modification or impairment. Any such access, modification or impairment is not unauthorised merely because the person has an ulterior purpose for that action.”
Click here to learn more about cyber crimes against Government departments.