17 May 2019

Does the WhatsApp hacking have repercussions?

Despite everything it said about communications being encrypted and thus safe, WhatsApp has been hacked. Any attack on popular software could potentially affect billions of users. While this vulnerability has been patched, users need to be aware that the software they use daily might not be secure.

Nabil Hannan,Managing Principal – Financial Services, Software Integrity Group, Synopsys explained: "The risk with this incident is that any WhatsApp user, based on their phone number, could technically be targeted. Using the buffer overflow issue, attackers can install malware allowing them to reach communications conducted on that user’s device."

"Any and every WhatsApp user is at risk. Technically anyone can be attacked, whether intentionally or accidentally. In this case the hackers seemed to have specific targets in mind, but other attackers could learn about the issue and then exploit other specific users or a wide range of users," he stressed.

Carl Leonard, Forcepoint’s Principle Security Analyst, noted that while a software update has been issued to protect WhatsApp against the security flaw that was exploited, the malware itself is extremely sophisticated. "Attacks like these have huge privacy implications. Traditionally, malware developed by sophisticated threat actors leaks into the wider cybercriminal ecosystem and is repurposed for financial gain, targeting the mass market. This is early days for this particular malware but it is critical to patch, and turn on auto-updates if possible, and for all applications, not just WhatsApp," he said.

Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies warned: "We are seeing that vulnerabilities on mobile platform worth a lot of money, for example in the Zerodium  price list they are willing to pay up to US$1 million for a WhatsApp vulnerability that will allow running remote code," he said.

The best that users can do is keep up to date with the app and to report unusual behaviour, Hannan said. Leonard agreed. "A victim’s device would act very differently than a non-infected device, and while no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information," he said.

Dylan Castagne, MD, Retarus Asia, commented that best practices are needed to ensure the secure and efficient transmission of information. He is in favour of leveraging established standards such as short message service (SMS, or text messages) instead of proprietary systems such as WhatsApp in business communication.

"Additionally, this reflects the need for organisations to significantly up their game in detecting, investigating and remediating intrusions across all communications avenues. With advanced threats seen to continue surpassing the capabilities of security mechanisms and cyber criminals devising new methods to infiltrate networks and exploit attack vectors, including messaging applications and emails, the value of being conscientious and vigilant in today’s digital era cannot be over-emphasised," he said.

"Utilising managed security service providers over traditional security tools also provides enterprises with the added advantage of having regular feature enhancements and upgrades that can better thwart modern cyber security threats."

"Rather than using a threat-based approach (where security professionals block individual threats, one by one) using a behaviour-based approach can pay dividends. By analysing the normal behaviour of a device, or in enterprise terms, any entity on a system, security professionals can act on the anomalies and stop even the most sophisticated attack quickly," Leonard added.

According to Business of Apps in a blog post updated in February 2019 at there are:

- One-and-a-half billion users in 180 countries, including 3 million users of WhatsApp Business

- One billion daily active WhatsApp users

- India is the biggest WhatsApp market in the world, with 200 million users (itestimated in some quarters that this has increased to 300 million

- Sixty-five billion WhatsApp messages sent per day, or 29 million per minute, and 55 million WhatsApp video calls made per day, lasting 340 million minutes in total

- From May-July 2018, 85 billion hours of WhatsApp usage were measured