WhatsApp patches vulnerability after users targeted with Israeli spyware

WhatsApp is urging its 1.5 billion users to update their apps as it patches a vulnerability that gave hackers access to phones.

For its parent company Facebook, the breach is only the latest troubling incident that has regulators demanding answers.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson said in a statement on Tuesday. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”{mosads}

The Financial Times reported on Monday night that software developed by the Israeli private intelligence firm NSO Group could be used to compromise phones simply by calling them through the app, even if the recipient didn’t answer. According to the report, the exploit could be used to steal data from a target’s phone.

An NSO spokesperson said that it would investigate any misuse of its software, which has been used by governments like Saudi Arabia, the United Arab Emirates and Mexico.

“NSO’s technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror,” the spokesperson said in the statement. “The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”

The spokesperson would not say which of its clients might have been behind the attack, or whether it would cause NSO to terminate its partnership with the actor.

According to the Times, the exploit had been used to target an unnamed human rights lawyer in the United Kingdom representing dissidents from Mexico and Saudi Arabia.

WhatsApp, which is owned by Facebook, has fixed the vulnerability and is urging its users to keep their apps and their mobile operating systems updated.

The vulnerability comes as Facebook has made WhatsApp and its encrypted messaging platform the centerpiece of its plans to pivot to a new business strategy focused on privacy.

And the flaw could do further damage to Facebook’s reputation as it fends off regulatory scrutiny around the world after a year of privacy mishaps.

Regulators in the U.K. and Ireland also urged WhatsApp users on Tuesday to keep their software updated following the revelation.

The U.K. National Cyber Security Centre alerted WhatsApp users and said the company had advised that “dozens” of users may have been affected.

The U.S. Federal Trade Commission has so far stayed quiet and has not issued any advisories to American WhatsApp users. An FTC spokeswoman declined to comment when contacted by The Hill.

WhatsApp believes a select group of users were targeted with the exploit and is briefing human rights organizations about the vulnerability, according to a person familiar with the matter.

WhatsApp notified the Department of Justice last week, the person said.

Despite NSO’s assurances that it oversees the use of its software, the company has been accused by human rights groups of enabling authoritarian governments to spy on journalists and dissidents.

This week, Amnesty International and other civil society groups petitioned the Israeli Ministry of Defense to revoke the surveillance company’s export license, citing evidence of its work with human rights abusers.

According to the Financial Times story, the WhatsApp exploit was used to target a lawyer in London who represents a Saudi dissident and a group of Mexican journalists in a lawsuit against NSO. The Times did not name the lawyer but said the attack did not succeed.

“Their tools are being used over and over again by the same states to target innocent people illegally,” said Peter Micek, general counsel for the digital rights group Access Now. “They know who their clients are and they have not put up any evidence to counter the findings of scientific researchers.”

“The gall in that situation of to exploit such a trusted and massively used product is amazing,” Micek added.

Tom Kellermann, a cybersecurity expert at Carbon Black and a former member of the Obama administration’s Commission on Cyber Security, said the episode illustrates the need for a set of global standards governing cybersecurity conduct by governments and private firms.

“These folks are providing true weapons to nation-states that are neither rational or benevolent actors,” Kellermann said of the NSO Group. “I would be very concerned for my cyber or physical well-being if I’m a dissident or journalist.”

Updated on May 15 at 10:03 a.m.