As we know governments around the place have been very unhappy with WhatsApp and others – Telegram say – using end to end encryption. For this means that not only can’t the bad guys gain access to our data and messages but nor can the good guys. Who they are – good and bad – depending of course on your own evaluations of Mossad, the FSB, FBI, NSA and so on. It’s entirely possible for the same organisation to be both even to the same group of people even as it’s obvious that they will be to different groups.
There have even been insistences that end to end encryption should not even be allowed, so that the bad good guys can spy on the good bad guys. It being always the bad good guys making those insistences.
Now we find that WhatsApp itself is vulnerable to spyware. But it needs to be said that this isn’t quite as some have it. It’s not saying that a standard conversation over WhatsApp can be decoded. That’s not it at all.
[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””] Since WhatsApp was acquired by Facebook in 2014, users of the messaging app have long speculated on how secure the platform would be from its new parent company’s data collection practices. What users may not have expected, however, was that their conversations could potentially be tapped by a third party — another company with the means to create powerful malware that could intercept protected conversations, as reported by the Financial Times on Monday. The report outlines allegations that an Israel-based company was able to successfully install malware that could have been used for surveillance on phone calls made over the app. [/perfectpullquote]Well, no, not really. This is better:
[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.[/perfectpullquote]WhatsApp is used to install code on the target phone, that then becoming the spy device. That’s different from WhatsApp itself being spied upon. The original is in the FT:
[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.[/perfectpullquote]WhatsApp is the delivery method, not the code being breached.
And as to the merit of end to end encryption? Sure, it means the bad good guys can’t listen into what the good bad guys are doing. But a secure end to end encryption system does mean that the good bad guys can’t listen into the bad good guys too. Or, more importantly to you and me, they can’t listen to us.
The easy way round end-to-end encryption (whatever colour of hat you’re wearing) is to install spyware on the end device. Whether that’s done by compromising WhatsApp or some other piece of software is irrelevant.