In tap-and-mouse games, no one’s safe, not even WhatsApp
A digital security company got past WhatsApp’s famed security simply by placing a call to a device
The WhatsApp hack is not the first nor the last time “invulnerable” encrypted systems prove to be anything but.
In all such cases, it’s useful to remember the showdown between Apple and the FBI after terrorists Syed Rizwan Farook and Tashfeen Malik killed 14 people in California in 2015.
The Feds wanted data on Farook’s iPhone, but couldn’t crack the security. Apple wouldn’t help. A bust-up ensued.
Just as quickly it went away. The FBI didn’t need Apple. They’d found a way in.
At least, someone else had and was prepared to sell it to them for $900,000.
That company was Cellebrite, an Israeli cyber-arms firm and part of an extraordinary cluster of digital security startups emerging from the IDF, Israel’s military.
You don’t hear about bust-ups between the US government and Apple any more – because Cellebrite can reportedly hack into more or less any phone, including the latest models such as the iPhone X, and is quite happy to do so for a fee.At the end of 2017, it did just that in the case of a suspected arms dealer detained by the FBI.NSO – the group believed to be behind the WhatsApp hack – has form too and, like Cellebrite, is Israeli-based (although US and British-owned).
In 2016 it was revealed to be behind sophisticated spyware that could install itself on any iPhone, merely through a tap of the screen.
Now it has gone one better, getting past WhatsApp’s famed security simply by placing a call to a device – one that didn’t even have to be answered.
The remarkable thing is that anyone should be surprised. Israeli military hackers, after all, were a key part of the Stuxnet attack that derailed Iran’s nuclear programme.
Getting into supposedly hyper-secure systems is their job.
For years government intelligence agencies worldwide have complained that encryption techniques routinely available in apps and smartphones represent a major national security threat.
In 2017 Britain’s National Cyber Security Centre technical director Ian Levy and technical director for cryptanalysis at GCHQ Crispin Robinson went so far as to propose a backdoor for the British government to listen in on chats and message conversations otherwise protected by“end-to-end” encryption, such as those on WhatsApp.
No doubt such systems do pose real difficulties.
But reinforcing the “impossible to crack” narrative may also help to keep suspects complacent – and tapping out messages that they think no one else can see.
What this week’s revelations make clear is that there are always workarounds.
Nothing is truly secure, because human design teams are not utterly infallible.
What endures is, as always, the cat-and-mouse race to craft an advantage – and exploit it.
– © Telegraph Media Group Limited (2019)