The WhatsApp vulnerability revealed earlier this week sounds terrifying.
Hackers could call a person on the WhatsApp messaging app and place malicious code on their phone in order to see their personal information — victims may not even have needed to answer the call for their phone to be infected, an expert told CNN Business.
But the vast majority of people were never at risk of having their private chats revealed by this attack. Regular users of messaging apps should still be concerned, however, and not just for themselves. No system is fully secure, experts say, and compromised high-profile targets could impact more than individuals.
Attacks like this are so sophisticated and expensive experts say, that they’re typically only used against individuals in the crosshairs of government intelligence agencies and other well-resourced entities. People like dissidents, political figures and journalists.
“This is the kind of advanced exploit that would be highly selective in nature and would be available to only advanced and highly motivated actors,” a WhatsApp spokesperson told CNN Business.
The messaging app, which is owned by Facebook, said it has patched the vulnerability. It also worked with groups representing human rights workers before making details of the attack public earlier this week.
Most people assume WhatsApp is more secure than most methods of communication, like email. It uses a technology called end-to-end encryption, which should mean messages can only be read by those who send or receive them and can’t be intercepted along the way. The encryption essentially turns the sending and receiving phones into keys, and only those keys can open the contents of a message.
But experts CNN spoke to say while end-to-end encryption is important, and that everyone should use it, users should not develop a false sense of security. If a person’s phone is hacked, that means the attackers could potentially read the messages that phone receives, even if they were sent through an encrypted service like WhatsApp or Singal.
Often, the biggest risk factor is the phone user themselves.
“The weakest link in the mobile phone messaging infrastructure is the end-users phone,” Kurtis Minder, the CEO of GroupSense, a cyber security company, told CNN on Wednesday. “If someone wants access to your messages and information, they are more likely to compromise the device than capture the traffic across the network and attempt to decrypt [the encrypted messages].”
Citizen Lab is an academic security research group that investigates digital threats to civil society groups and online freedom of expression and has been investigating the most recent WhatsApp attack. John Scott-Railton, a senior researcher there, says the focus on end-to-end encryption can mean people forget about the security of their device.
Minder suggests people should view their phone as a computer and install the mobile equivalent of anti-virus software on all of their mobile devices.
And then there are the people who should always be on alert about their communications.
Earlier this year it emerged that Jared Kushner, President Donald Trump’s son-in-law and senior advisor, had used WhatsApp to communicate with foreign leaders. Cybersecurity experts expressed concern that highly sensitive government communications could be at risk of exploitation by foreign governments and hackers.
“Jared Kushner on his personal phone using a free commercial service that is connected to a company with huge security breaches is a recipe for disaster,” Daniel Schuman, a former House staffer who chairs the Congressional Data Coalition, a nonprofit that aims to encourage smarter tech practices in Congress, told CNN at the time.
A London-based human rights lawyer was among the possible targets of the WhatsApp vulnerability. And Amnesty International claims it was targeted via a WhatsApp message containing NSO’s spying software in 2018 while working on a campaign to release six women’s rights activists detained in Saudi Arabia.
Minder warns that similar high profile targets should exercise additional caution about communicating over any app.
“If someone is targeting you specifically, it is likely they will succeed,” said Minder. “So be careful what you share over mobile messaging, WhatApp or otherwise.”