David Glance, the director of University of Western Australia's Center for Software Practice explained how the recent WhatsApp's security flaw was exploited, who's behind the attack and what will it mean for the Facebook-owned company image.
Sputnik: First of all, can you tell me how this WhatsApp security flaw has been exploited?
Glance: Well, a lawyer that has been involved in various people taking action against a an Israeli security company called the NSO Group had received this attack and was suspicious about it. He received it after WhatsApp had actually been fixed. And so this is why it's sort of didn't work. And then they tried when it didn't work, they tried another attack. And he passed that on to the citizen lab who had recognized these types of attacks and then traced it to this particular exploit. But at that time, Facebook had actually announced that there was this vulnerability in WhatsApp that could be exploited without necessarily the user being aware that it happened.
Glance: Well, I think that there's a wider issue in the fact that WhatsApp is owned and run by Facebook. So how seriously, you can take their efforts in terms of security and privacy is debatable. However, I think it's a reminder that even though these tools do use things like end to end encryption, that they're still consumer tools, software, they're not really designed to protect you against serious attempts to actually break into the conversation.
And clearly what this showed was that it was quite amazing that you didn't have to actually answer the call when it was made. It was a vulnerability that had been known for some time by this group, and exploited in the software that they sold on to various intelligence agencies and governments.
Sputnik: Can you tell me more about the people who are targeted this attack?
Glance: Well, the NSO group, the Israeli company that makes these tools, basically sells it on to governments. And so at the moment, there's a range of people who have been targeted by this. So activists, for example, and civil society groups in Mexico, it is some rumours that in, in the case of various associates of Khashoggi and Saudi, but that they have been targeted with this sort of software. So it's a variety of different targets, it's an expensive way of actually hacking into somebody's phone. So really, it's only for specific targets that it's going to be used, and by governments who really want to find out something.
Sputnik: So we know who's behind the hack. What would the recourse be against a company that's been developing this software?
Glance: Well, very little, it's a legitimate company, and really what they do, they claim that they're not involved in what it's used for, and that the governments and agencies that use it, are doing so to fight terrorism. And, you know, in the pursuit of law enforcement. Clearly, this company has received funding in the past by Israeli secret services. So whether they're involved or not, is another matter.
But this whole industry, you know, is a large one, and there won't be a diminishing of the demand for these sorts of tools. You know, as people increasingly target victims or targets with this type of approach.
Glance: I think it will continue. And it's just a constant race between the tech companies, security researchers, and in this case, the security companies. But remember that there are a large number of other actors that are doing exactly the same thing. And they range from governments through to cyber criminals. So I think that what the public really have to be aware of is that, you know, it's everything is vulnerable. And that you can take all the precautions you want, but if somebody is determined enough, they can usually get around it.
Views and opinions expressed in this article are those of the speaker and do not necessarily reflect those of Sputnik.
