1.5 billion phones vulnerable to Israeli spying hack

1.5 billion phones vulnerable to Israeli spying hack

Another Massive Data Breach for Facebook

The popular WhatsApp free messaging app used by 1.5 billion people around the world to send free, encrypted communications to each other appears to have a security flaw exploited by spyware created by an Israeli firm to gain access to the underlying smartphones on which it operates.

In what is perhaps a sign that Facebook is either so large that it cannot manage its data, has so many products that it cannot keep them secure or places so little value on privacy and security, the company now faces perhaps its largest security breach ever. According to the BBC, Facebook has revealed that a “select number” of its users were attached by “an advanced cyber actor” and news outlets including the New York Times point to an Israeli technology firm called NSO Group.

This sneaky hack worked by placing a WhatsApp call to the victim’s phone which would then exploit the software vulnerability to insert the malicious code into the victim’s phone even if the victim did not pick up the call. Thus, there was no defense against this threat once the victim had the WhatsApp software installed on their phone. Even cautiously rejecting suspicious emails or screening unknown calls would not protect a user from a hack that works when the person doesn’t answer the phone.

A History of Hacking Smartphones

The NSO Group appears to be behind the exploitation of security vulnerabilities in the massively popular messaging application WhatsApp used by more than 1.5 billion people around the world, including reportedly members of the Trump administration. The goal appears not to have been limited to gaining access to the test messages, photos or videos sent through WhatsApp, but to use WhatsApp’s vulnerabilities to access the underlying iPhone, Android, Windows or Tizen smartphone.

NSO Group was using the tools to spy on human rights activists and journalists but naturally once developed a tool like this could conceivably be used to target anyone. It is not known how long the security vulnerability existed, who had access to the Israeli tools or whose smartphones were targeted. The New York Times says the hack was used to target lawyers involved in lawsuits against NSO Group, a Saudi dissident in Canada, a Qatari citizen and several journalists from Mexico. But the true extend of the breadth and depth of this hack may never be known.

This is not the first time the Israeli company has hacked smartphones. The secretive company was uncovered in 2016 to be involved in a campaign to exploit security flaws in the Apple iPhone itself to spy on similar journalist and political activist targets and others. The company claims that its products are used to support law enforcement and fight terrorism. It claims that it follows strict ethical practices to ensure its products are not misused but will not reveal any information or submit to any oversight or participate in any outside investigation of this story.

So, what should you do?

Facebook, which owns WhatsApp may know how extensive the damage is but has released limited information other than to rapidly push out a security patch today and urge all users to update their smartphone apps. Facebook released a statement saying, “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”

Notably, the latest WhatsApp software update from Facebook makes no mention of the security vulnerability as a reason for the software update.

Next Steps

At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.

References

New York Times

BBC News

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to your inbox

Try it. Unsubscribe anytime.