With news of the major WhatsApp vulnerability, which makes it possible to conduct surveillance on messages transmitted over the platform, Mike Campin, VP Engineering at mobile threat defence specialist, Wandera, explains the impacts of this vulnerability and how IT teams should respond.
This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable. While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many. While WhatsApp is not typically used as an official corporate messaging application, it is used widely internationally on both employees’ personal devices as well as on corporate-issued devices, and once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.
IT teams have an urgent job to do today. First, they need to take inventory of how many of their users are currently running an outdated version of WhatsApp on their devices to assess potential vulnerabilities. They need to instruct all their staff to update to the latest versions of WhatsApp, which were released on the App Store and Google Play on 10 May 2019. Then, they need to revisit their policies on which apps their employees can use for work purposes, whether that be on their own personal smartphones or corporate-issued devices.
Bear in mind that this isn’t the first time WhatsApp’s security has been brought into question. We’ve seen recent incidents of ‘whishing’ – phishing messages over WhatsApp – that have been launched to dupe users. WhatsApp’s ‘end-to-end-encryption’ badge certainly shouldn’t be mistaken as a guarantee that communications are secure.