Who's behind the WhatsApp hack and should you be worried?
Cyberattack exposed vulnerability that experts say can easily be exploited
This week, WhatsApp began urging its 1.5 billion or so users to update their apps to get the latest security patch. The Facebook-owned company — which touts its "simple, secure" messaging — said it discovered spyware had been installed remotely on "dozens" of smart phones through the app. The hack affected both Apple and Android users.
Without naming the company, WhatsApp described the hackers as "a private company that has been known to work with governments to deliver spyware."
The Financial Times identified the company as NSO Group. A spokesperson for WhatsApp later told The Associated Press: "We're certainly not refuting any of the [news] coverage you've seen."
What is NSO Group?
NSO Group describes itself as a cybertechnologies company. Based in Israel, it says it develops technologies that governments and law enforcement agencies can use to track and intercept terror activity, break up organized crime operations, and even search for missing persons.
The company is backed by Novalpina Capital, a private equity firm based in London.
What does its technology do?
NSO is vague about how its technology works. But the University of Toronto's Citizen Lab, through its research, has determined that its software basically can gain access to private or confidential information — an individual's smartphone, for example — and through it, see and hear all of its communications.
NSO boasts on its website that its technology "has helped governments save thousands of lives, prevent terrorist attacks, break up major crimes, and make the world a safer place."
But "what is concerning, though," according to Kevin Mitnick, CEO of mitnicksecurities.com, "is they sell their cyberweapons to countries that might use it against dissidents and might use it to persecute people that are saying bad things about the country or its leadership."
NSO doesn't exactly deny this. It has said that it sells only to responsible countries after diligent vetting, and with Israeli government approval.
"NSO would not or could not use its technology in its own right to target any person or organization," it said in a statement Tuesday.
Novalpina Capital said in a statement early Wednesday that NSO's technology "is designed in such a way that it can only be deployed by an intelligence or law enforcement agency to whom the technology is sold under licence. NSO has no involvement whatsoever in any end-user agency's tactical deployment decisions."
The statement said Novalpina is committed to adhering to the United Nations Guiding Principles on Business and Human Rights.
"We abhor any form of misuse of any form of surveillance technology by any government, agency or individual, and we particularly condemn without hesitation any such misuse directed at people who are vulnerable simply as a consequence of their commitment to report on, speak out for or defend human rights," said Stephen Peel, founding partner of Novalpina.
Who are NSO's clients?
Citizen Lab says NSO's technologies have been used by some 45 countries, including Mexico, Bahrain, Morocco, Saudi Arabia and the U.A.E. The Financial Times, citing an unnamed NSO investor, reports that half of the group's revenues come from the Middle East, but that it has contracts with 21 EU countries, as well.
"This type of exploit wouldn't be available to the criminal-based type of hackers," Mitnick said, "because they simply can't afford to buy these cyberweapons."
Public Safety and Emergency Preparedness Canada did not respond to inquiries about whether Ottawa has bought technology from NSO.
John Scott-Railton, a senior researcher at Citizen Lab, says it's not known publicly if Canada has ever been a customer. But he hopes any country considering it would also acquire strong oversight.
"This technology comes with a temptation to abuse because it's designed to be stealthy and hard to find," he said. "The abuse potential is so dramatic."
Amnesty International, which said last year that one of its staffers was targeted by NSO spyware, is demanding Israel suspend NSO's export license for exactly that reason.
"These softwares that NSO is marketing as tools to prevent terror and crime, are used against human rights defenders and lawyers and doctors and members of Parliament," Chen Brill-Egri of Amnesty International Israel told Reuters.
"And when the Ministry of Defence in Israel allows this to happen, it endangers millions of people around the world."
How did this latest hack happen?
Mitnick said many apps are developed with millions of lines of code — and people make mistakes.
"And what happens is security researchers find these flaws and they're able to develop what they call exploit code to take advantage of these flaws and do exactly what was done in this case."
WhatsApp has admitted this vulnerability involved a missed call coming to the phone through the app.
"No user interaction required," said Scott-Railton, "which makes it particularly insidious."
The hacker would then use that missed call to slide a piece of malware onto the phone.
"That malware," he continued, could then be used "to turn on the phone's microphone to capture encrypted conversations, private files and personal materials."
Was I targeted?
Probably not. WhatsApp says the actual number of people who were affected by this attack amounted to maybe a couple dozen. But as Scott-Railton points out, "the number of people who are vulnerable to this is quite high … an entire user base."
His takeaway: "There's a problematic industry that's in the business of finding these vulnerabilities. And instead of disclosing them to companies so that they can be closed up, [they're] selling those vulnerabilities and making them available to customers who will then, as we see, turn around and abuse them."
How do I update my WhatsApp app?
You can find out here.