WhatsApp Breach: The IT Industry’s Perspective on the Incident

WhatsApp Breach is an unfortunate news that bothered almost everyone a few days back. A vulnerability, now identified as CVE-2019-3568, affected WhatsApp users of both Android and iOS. The vulnerability possibly allowed nefarious elements to install spyware and steal or even modify personal data by just placing a WhatsApp call, even when the call is not answered.

“The victim would not be able to find out about the intrusion afterward as the spyware erases the incoming call information from the logs to operate stealthily,” said Oded Vanunu, Head of Products Vulnerability Research, Check Point Software Technologies. “Our day to day applications are targeted by malicious actors to gain access to our private and sensitive data or even to gain full control on our device. such method will continue to be used by malicious actors because the heavy usage of these applications.”

However, WhatsApp is now encouraging customers to update their apps as quickly as possible, and to keep their mobile operating system up to date to prevent the vulnerability from accessing consumer data. Nonetheless, the WhatsApp breach once again reminds organizations that there is a need to keep two steps head of individuals with malicious intent. Along the same lines, here is what players from the IT industry had to say about the WhatsApp Breach.

WhatsApp Incident a Lesson to many Enterprises and Technology Leaders - DD Mishra, Sr Director Analyst, Gartner

The recent security incident associated with WhatsApp gives key lessons to many enterprises and technology leaders. The usage of instant communication applications is both an area of growing interest and a contentious debate for enterprises. Enterprises are not simply engaging technologies like Facebook's Messenger and WhatsApp, but are going beyond that, for example, by integrating WeChat with their CRM program. The benefits of instant communication are too valuable for enterprises to overlook. And indeed, many of these apps, such as WhatsApp, have added end-to-end encryption to their solutions. However, enterprises often will find it difficult to satisfy enterprise security requirements and compliance regulations. For example, a major area of concern for Gartner clients in the financial space is how to perform archiving of WhatsApp communications to comply with regulatory requirements. Realistically, consumer apps will be used for everyday conversations, logistics and appointment arrangements, especially with clients, but perform due diligence by dictating what kind of information should not be sent via these apps. Enterprises that employ data classification could allow "public data" to be sent via these apps. Also, define in the policy whether attachments are allowed to be sent. IT leaders need to utilize a combination of policy, additional tools and monitoring to ensure compliance and secure usage of WhatsApp, WeChat and other popular communication apps. Usually, we should complement policy measures with monitoring mechanisms to confirm employee adherence to the policies. Deviations from the policy should be met with additional training. However, add-on tools and measures, such as activity monitoring, can only be implemented efficiently if the instant communication app providers either add them themselves, or they open up their solutions to third parties. Unfortunately, this is not the case yet. For example, today, enterprises can do an app inventory of the apps used by a user and identify if the user is using WhatsApp, but they cannot monitor the usage of the app to see if an attachment sent is an enterprise file or a personal picture. Some workarounds could be found, but for advanced enterprise functionality, security leaders will need to deploy separate applications.”

Do not exchange critical or confidential information through chat apps - Pankit Desai, Co founder and CEO, Sequretek

An app like WhatsApp which is a ubiquitous tech but interestingly, a large number of its users are not tech savvy. Thus, protecting the information or a breach in such apps, onus lies on the companies. Because of the sheer nature of the app, its usage is high, which means any kind of breach can have a large impact on its user base. And when the breach comes from a sophisticated company which has a reputation for developing hi tech software which can activate one’s microphone or camera, the impact can be deadly. NSO Group, which has reportedly built the hack responsible for WhatsApp breach, has in the past designed a sophisticated attack software Pegasus which they have sold foreign countries with questionable human rights record. What may surprise the users of WhatsApp is that on one side, the chats are claimed to be encrypted and then a breach happens. No estimate of damage has been shared, we don’t know yet, if they would be fined. In such a situation users can only feel helpless. In my view, as a safety measure, one should not exchange critical or confidential information through such chat apps but only through officially encrypted corporate communication channels specially for work related sensitive information.

Using a behaviour-based approach rather than a threat-based one may help - Carl Leonard, Principle Security Analyst, Forcepoint

While the majority of WhatsApp’s users are unlikely to be targeted by this particular attack, attacks like these have huge privacy implications. Traditionally, malware developed by sophisticated threat actors leaks into the wider cybercriminal ecosystem and is repurposed for financial gain, targeting the mass market. This is early days for this particular malware but it is critical to patch, and turn on auto-updates if possible, and all applications, not just WhatsApp. WhatsApp became aware of the vulnerability in early May, and notified the appropriate authorities and victims.  The bug can be exploited based on a decades-old type of vulnerability – a buffer overflow. A victim’s device would act very differently than a non-infected device, and while no details of the actions taken by this malware have emerged, one could assume that an attacker may seek out bulk contact lists, email data, location data or other personal information. Rather than using a threat-based approach (where security professionals block individual threats, one by one) using a behaviour-based approach can pay dividends. By analysing the normal behaviour of a device, or in enterprise terms, any entity on a system, security professionals can act on the anomalies and stop even the most sophisticated attack quickly.

Cyber security concerns cannot be ignored - Devashish Sharma, CTO, Flock

Today, security has become an area of concern for all businesses, with organizations scrambling to take measures to protect against cyberattacks. This is also true in the case of communication and collaboration platforms used by businesses and teams. While these apps have made life easier for teams to communicate with each other, enterprises need to be aware of the significant security risks they run by depending on non-compliant generic messaging platforms for business-critical communications. Communication is a core need for any business and it is imperative for CTO’s and CIO’s to opt for platforms built and designed with enterprises security and compliance needs in mind. The recent breach displays the sophistication levels of today’s threats and reiterates the fact that cyber security concerns cannot be ignored.

Check if your WhatsApp is Updated - Sunil Sharma, Managing Director – Sales, India & SAARC, Sophos

The vulnerability is now fixed, which means that if you’re one of WhatsApp’s 1,500,000,000 users you need to go to the well and drink up the latest version. There’s a good chance your app’s already updated itself, but this is a serious vulnerability so we advise you to check all the same.