The phrase “WhatsApp targeted attack” is something no WhatsApp user wants to see in a headline.
Add in “hackers were able to remotely install surveillance software” and the company’s PR department have got a big day on their hands.
WhatsApp says a small number of accounts were attacked by “an advanced cyber actor”.
But if that entirely normal phrase hasn’t quite put you at ease, here are a few tips to help keep your information safe.
Update, sleep, repeat
The attack was first discovered earlier this month.
At the time Facebook, which owns WhatsApp, told security specialists the issue was: “A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”
Cool.
Let us roughly translate – attackers used WhatsApp’s voice call function to ring a target’s device.
Even if the call wasn’t picked up, the surveillance software could still be installed because of that “vulnerable VOIP” not being secure enough.
The call then may have disappeared from the device’s call log because hackers had control of the app.
And no, the fix isn’t just a case of turning your phone off and on again.
On Monday, WhatsApp suggested its 1.5 billion users update the app after rolling out a fix to help protect devices from cyber attacks.
You’ll have to do this one manually so that little red dot hovering above App Store (or whatever your phone does to give you a passive-aggressive nudge) isn’t going to take care of itself this time.
Even though messages in WhatsApp are end-to-end encrypted, which means they should only appear on the sender or recipient’s device, the surveillance software used in the latest hack would have let an attacker read the target’s messages.
It’s probably best to keep on top of all your app updates as they often include tweaks to security.
Get off the cloud
You probably know about end-to-end encryption – one of the biggest appeals of WhatsApp.
But if you – or your friends – back up your WhatsApp chats to a service like Google Drive or iCloud, there is a flaw.
That back-up is not protected by end-to-end encryption, so anyone with access to your cloud could get hold of your chat history.
So if you really care about privacy, then that’s something you might want to disable.
You might get the odd prompt asking how often you want backups – but if you want to change it now then head to the Chat Backup area of your settings.
Sweet 2FA
If your app supports it (which WhatsApp does), two-factor authentication (2FA) is a good way to help keep data safe.
This is an extra layer of security to make sure people trying to gain access to an online account are who they say they are.
First, a user will enter their username and a password. Then, instead of immediately gaining access, they’ll be required to provide a finger print, a voice command, or a code texted to your mobile device for example. Sometimes it’s some extra information. You know the drill: first pet, mother’s maiden name – those guys.
Again you can change two-step verification in your settings in WhatsApp.
Add the layers that suit you
WhatsApp (and loads of other apps) offers a range of security and privacy control. Go to Settings > Account > Privacy to see everything at your disposal.
From there you can control who can see your “last seen”, profile photo and live location.
You can also turn off read receipts here, so the blue check marks are switched off.
You can go for all or none of those depending on who you want to let see various aspects of your chats.
Don’t lose loads of sleep over it
This hack is perhaps a bit more urgent if you’re a lawyer, activist, human rights worker or journalist.
According to the non-profit Committee to Protect Journalists these are the most likely people to have been targeted in this attack.
