I have been posting about WhatsApp recently so I thought I would make them all into a small blog.
I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.
The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.
Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.
If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.
Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.
Further reading: –
WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.
The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.
Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.
Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.
For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data
I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC. If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.
If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.
I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.
At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.
I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.
Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.
© cqcore 2021