ZCZC
BFF-33
US-ISRAEL-CYBER-SECURITY-FACEBOOK-WHATSAPP
WhatsApp urges update after ‘serious’ security breach
SAN FRANCISCO, May 14, 2019 (BSS/AFP) – WhatsApp on Tuesday encouraged its
users to upgrade the app to plug a security breach that allowed sophisticated
attackers to sneak spyware into phones, in the latest trouble for its parent
Facebook.
The vulnerability — first reported by the Financial Times, and fixed in
the latest WhatsApp update — allowed hackers to insert malicious software on
phones by calling the target using the app, which is used by 1.5 billion
people around the world.
“WhatsApp encourages people to upgrade to the latest version of our app,
as well as keep their mobile operating system up to date, to protect against
potential targeted exploits designed to compromise information stored on
mobile devices,” a spokesperson said in a statement to AFP.
The FT cited a spyware dealer as saying the tool was developed by a
shadowy Israel-based firm called the NSO Group, which has been accused of
helping governments from the Middle East to Mexico snoop on activists and
journalists.
And security researchers said the malicious code bore similarities to
other tech developed by the firm, according to The New York Times.
The latest exploit — which impacts Android devices and Apple’s iPhones,
among others — was discovered earlier this month and WhatsApp scrambled to
fix it, rolling out an update in less than 10 days.
The firm did not comment on the number of users affected or who targeted
them, and said it had reported the matter to US authorities.
It also informed authorities in Ireland about the “serious security
vulnerability”, according to a statement by the country’s Data Protection
Commission (DPC).
“The DPC is actively engaging with WhatsApp Ireland to determine if and to
what extent any WhatsApp EU user data has been affected,” it said.
It echoed WhatsApp in encouraging users to update the app, as “the
possibility remains that EU users were affected”.
The breach is the latest in a series of issues troubling WhatsApp’s parent
Facebook, which has faced intense criticism for allowing its users’ data to
be harvested by research companies and over its slow response to Russia using
the platform as a means to spread disinformation during the 2016 US election
campaign.
– Highly invasive software –
The WhatsApp spyware is sophisticated and “would be available to only
advanced and highly motivated actors”, the company said, adding that a
“select number of users were targeted”.
“This attack has all the hallmarks of a private company that works with a
number of governments around the world” according to initial investigations,
it added, but did not name the firm.
WhatsApp has briefed human rights organizations on the matter, but did not
identify them.
The Citizen Lab, a research group at the University of Toronto, said in a
tweet it believed an attacker tried to target a human rights lawyer as
recently as Sunday using this flaw, but was blocked by WhatsApp.
The NSO Group came to prominence in 2016 when researchers accused it of
helping spy on an activist in the United Arab Emirates. Its best-known
product is Pegasus, a highly invasive tool that can reportedly switch on a
target’s phone camera and microphone, and access data on it.
The firm said Tuesday that it only licenses its software to governments
for “fighting crime and terror”.
The NSO Group “does not operate the system, and after a rigorous licensing
and vetting process, intelligence and law enforcement determine how to use
the technology to support their public safety missions”, it said in a
statement to AFP. “We investigate any credible allegations of misuse and if
necessary, we take action, including shutting down the system.”
BSS/AFP/ARS/1705 hrs