The iPhone user's guide to the WhatsApp hack attack

Update your app and iPhone immediately

Apple, WhatsApp, iOS, security, mobile, iPhone
Thinkstock / Pete Linforth

Hackers have used a security bug inside WhatsApp to install spyware through an infected WhatsApp voice call, and Apple users are affected.

What WhatsApp users need to do

If you are one of the 1.5 billion people who use WhatsApp, you should immediately update both your app and your iOS software to the latest version.

The app update includes fixes that should prevent hackers from taking over your iPhone, while future Apple updates will also likely address these flaws.

What is the threat?

Israeli hackers from a company called the NSO Group developed the spyware specifically so they could get into people’s devices.

The threat consists of spyware capable of activating a device’s camera and microphone that also provides hackers with access to call logs, texts, and other personal data inside WhatsApp.

The company sells the spyware system to clients, which include national intelligence and security agencies.

What platforms are affected?

Android, Windows, Tizen, and iOS devices are all vulnerable to this attack against WhatsApp.

How does it spread?

The spyware is installed using an infected WhatsApp voice call.

You don’t have to accept the call and you may see no record of the call attempt ever being made, according to the Financial Times.

Here is the security warning for this app.

Who is being attacked?

The attack seems to be aimed at human rights activists.

In this particular case, the existence of the bug was exposed when a UK-based human rights lawyer received a dropped call that made them suspicious enough to look into what was going on.

WhatsApp said the complexity of the attack means it will have been used against only a small number of people.

Given that WhatsApp appears to be used almost everywhere in public life, it’s no great surprise that hackers want to break into WhatsApp chats.

If you don’t use WhatsApp on your iPhone, you will not have been attacked. But if you work in a sensitive industry, then you should update the app immediately.

How does the update help?

Once Facebook-owned WhatsApp heard of the existence of the vulnerability, it took steps to boost server-side protection against the bug and also published software updates for all impacted devices.

WhatsApp says it took 10 days to deliver the update once the threat was identified.

You should be able to find the update on the relevant App Store. Alternatively, you can uninstall the software, though you’ll lose all your archives.

I thought Apple was secure?

Apple’s platforms are secure by design, but not every app you install is quite as secure. Apple continues to try to provide users with better control over what features can be accessed by individual apps in each release of iOS. 

In the case of WhatsApp, you can enable or disable access to things such as your iPhone’s microphone or camera in Settings>WhatsApp, but we cannot yet be certain this hack will then be unable to access those items, pending a response from Apple.

Who is the NSO Group?

The NSO Group is an Israeli company that has boasted about its ability to hack into iPhones in the past. The company sells software called Pegasus that has historically been used against human rights activists.

The company claims to sell these hacks only as tools to fight against crime and terror and says it maintains a strict vetting process before making them available to its intelligence and law enforcement clients.

What’s WhatsApp saying?

What’sApp says the attack was sufficiently sophisticated, and it appears likely to have come from a “private company working with governments on surveillance.”

In a statement provided to Reuters, the company said:

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”

What happens next?

WhatsApp has referred the incident to the U.S. Department of Justice and also to the lead EU data protection regulator and UK National Cyber Security Centre.

One more thing

I’ve always argued against back doors in any computing platforms. This incident provides yet more evidence that suggests any such security flaws once found should be fixed rather than weaponized.

That a hack allegedly sold in strictly controlled manner has been used to such purpose shows how these technologies tend to spread — you can even buy GrayKey devices on eBay these days.

Such proliferation leaves everyone less safe, not more secure.

What next?

I wrote this guide to iOS security in 2017. There have been many enhancements since, but this still provides a good grounding on the topic. 

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon