The WhatsApp spyware story tells us that nothing is secure

When Edward Snowden broke cover in the summer of 2013 and a team of Guardian journalists met up with him in his Hong Kong hotel, he insisted not only that they switch off their mobile phones but also that they put the devices into a fridge. This precaution suggested that Snowden had some special insight into the hacking powers of the NSA, specifically that the agency had developed techniques for covertly taking over a mobile phone and using it as a tracking and recording device. To anyone familiar with the capabilities of agencies such as the NSA or GCHQ, this seemed plausible. And in fact, some years later, such capabilities were explicitly deemed necessary and permissible (as “equipment interference”) in the Investigatory Powers Act 2016.

When Snowden was talking to the reporters in Hong Kong, WhatsApp was a four-year-old startup with an honest business model (people paid for the app), about 200m active users and a valuation of $1.5bn. In February 2014, Facebook bought the company for $19bn and everything changed. WhatsApp grew exponentially to its present ubiquity: it has more than 1.5 billion users and has spread like a rash over the entire planet.

Among its attractions is that it offers users effortless end-to-end encryption for their communications, thereby enhancing their privacy. Even Facebook can’t read their messages. (Coincidentally, this provides Facebook with a get-out-of-jail card, because if users are sending all kinds of illegal, unsavoury or manipulative messages – and some of them are – then Facebook cannot be held accountable for them and its expensive “moderation” responsibilities are accordingly reduced.)

In 2014, WhatsApp introduced a new feature – free encrypted voice calls – which basically gave every user a facility hitherto enjoyed by only political and military leaders of sophisticated states. Understandably, it became wildly popular, to the point where most intercontinental phone conversations between members of globally dispersed families are probably now routed through WhatsApp.

All of which explains the hoo-ha over the revelations last week that buried in the voice-call feature was a huge security hole. A tech-savvy baddie could make a WhatsApp call to a target phone that would enable secret installation of spyware to transform the phone into a remote surveillance device. “Within minutes of the missed call,” reports the Financial Times, “the phone starts revealing its encrypted content, mirrored on a computer screen halfway across the world. It then transmits back the most intimate details such as private messages and location and even turns on the camera and microphone to live-stream meetings.” And the really impressive thing is that the offending call needn’t even be answered: a missed call still enables the intruder to drop its “payload” – software called Pegasus that can penetrate the deepest secrets of any smartphone.

Neat, eh? As it happens, this is an older story than many media reports suggested. It was the latest upgrade to a decade-old product created by a secretive Israeli company called NSO. The technology is allegedly so powerful that the Israeli defence ministry is supposed to regulate its sale to foreign law enforcement bodies and state security agencies.

Research by Ron Deibart and his colleagues of the admirable Citizen Lab at the University of Toronto, however, suggests that Israeli supervision of NSO’s exports has been, to say the least, permissive. The project has been tracking use of Pegasus by the Mexican government and other organisations since 2016.

Researchers have found that the spyware has been used to target a wide range of people who all have one thing in common: they are thorns in the side of the ruling administration. Victims include activists supporting the introduction of a soft-drinks tax; senior independent legislators and politicians; lawyers for the families of murdered women; the director of a Mexican anti-corruption group; and journalists investigating illegal cartels.

The methodology of attack follows a predictable pattern. In May 2017, for example, an award-winning journalist, Javier Valdez Cárdenas, the founder of RíoDoce, a Mexican newspaper known for investigating cartels, was gunned down near his office. Two days later, one of his colleagues received a text message naming the killers and including a pointer to some documentary evidence, which of course was the link designed to install Pegasus on his phone.

The new twist on this story is that the conduit for covert installation of Pegasus is now a simple WhatsApp call rather than a phishing text. After all, even the dumbest journalist knows not to click on a link from an unknown source. According to the FT, the new voice-call hack is being presented by NSO as an enticing new “attack vector”, which I’m sure it is for the kinds of authoritarian regimes that like this kind of thing. Think Bahrain, Morocco, Saudi Arabia and the UAE. But, intriguingly, NSO also claims to have contracts with 21 EU countries. So if you’re concerned about your security or privacy, buy a Nokia 3310 and keep the iPhone in the fridge.

What I’m reading

You won’t find this in any book
Go to Andy Matuschak’s website and read his terrific – and thought-provoking – essay about why books (and lectures) don’t work or, at any rate, are hopeless for learning.

AI? Uh-oh…
Benedict Evans has a great essay on his website about the weaknesses of machine learning.

Don’t mistake the part for the whole
A sobering survey conducted by the Pew Research Center [*LinkA] and published earlier this month, reveals that an astonishing number of people think that Facebook is the internet. An interesting and unremarked aspect of monopoly power.