The recent WhatsApp™ hack is pretty alarming: NEXSPY hackers had to do was drop a missed encrypted WhatsApp call to their target and—boom—spyware was installed. The hack didn’t require the user to do anything—even if the user didn’t pick up the phone the spyware would still be installed. But maybe what’s most important about it is that it shines a light on the myth that security is equal to end-to-end encryption.
WhatsApp is widely viewed as a secure form of communication by many consumers, and has even been used by some businesses and governments as a secure means to communicate. What is of interest here is that WhatsApp is assumed to be secure thanks to its end-to-end encryption. Although it has strong encryption, when you send a message over WhatsApp, you give up control of that information as soon as you hit that send button. End-to-end encryption protects messages while they’re in-transit, but it doesn’t protect messages from being screenshotted, forwarded, stored on devices or saved to the cloud. This unfortunately can make it straightforward for determined, third-party bad actors to access conversations. Take the case of Jeff Bezos, whose personal messages were leaked thanks to screenshots.
WhatsApp has released fixes for its over 1.5 billion user base and is urging its users to update the app immediately but it’s important to note that this news is actually older than most media is reporting—the hack is an upgrade to a decade-old product that had a history of exploiting WhatsApp to access phones.
The reality is that the WhatsApp hack is a reminder that we all need to stay proactive and vigilant when communicating. Here are 5 things to know when it comes to the hack, WhatsApp, and secure communications:
- You should be extra cautious.
This attack primarily targeted high-profile individuals—like politicians, journalists, and political dissidents—so the number of phones that were hijacked was only in the dozens. But that doesn’t mean you shouldn’t be careful with the conversations you have on WhatsApp or any messaging app. A good rule of thumb: never share anything that you wouldn’t want posted on a bulletin board.
- It’s worse than phishing.
In the past, phones have been compromised over WhatsApp thanks to phishing texts. The latest hack is more complex—even if users ignore the phone call, the spyware is still installed. Become more aware about security and privacy as these attacks continue to evolve.
- This isn’t the first time.
Just this fall, Facebook, WhatsApp’s parent company, announced it had fixed a bug that allowed hackers to take over users’ applications if they answered an incoming video call.
- Your messages are (probably) being saved to the cloud.
WhatsApp settings default to saving your conversations to the cloud. Those back-ups are not protected by end-to-end encryption and anyone with access to your cloud, or who can hack it, can access those conversations. Understand your settings and where your information is being stored.
- Your device is the weakest link.
Hackers prefer to try to compromise your device rather than try to capture your encrypted messages in-transit. WhatsApp’s end-to-end encryption does not account for that. As a minimum, take the appropriate steps to secure your device.