The discovery that hackers could spy on WhatsApp should alert users of supposedly safe messaging applications to an uncomfortable truth: «End-to-end encryption» sounds good, but if someone can enter the Your phone’s operating system, you can read your messages without having to decrypt them.
According to a report published on Tuesday in the Financial Times, the spy software that violated security was Pegasus, created by the Israeli company NSO. Malware could access a phone’s camera and microphone, open messages, capture what appears on a user’s screen, and record keystrokes, which makes encryption meaningless. It works on all operating systems, including Apple’s iOS, Google’s Android and the version of Windows that is rarely used on Microsoft mobile devices.
The cyber security community has known for years, and activists have criticized its use against dissidents and journalists in dozens of countries, although NSO says it does not sell Pegasus to undesirable regimes and that the application is disabled in the U.S.
Before Pegasus was supposed to work, the victim had to click on a phishing link to install the malware. But according to a brief technical description of the hack published by the owner of WhatsApp, Facebook Inc., now it seems that hackers can install the malware simply by calling the target.
This is not the first case of vulnerability of this type to be discovered in a supposedly secure messaging application. Last year, Argentine security investigator Ivan Ariel Barrera Oro wrote about a flaw in Signal, an application used by the informant Edward Snowden. In that case, a hacker could send a specially designed Internet address in a Signal message that would download the malware.
However, it is important to realize that spyware that can be installed without any action by the user can be reached through any channel, be it an encrypted messaging service, a browser, an email or an SMS client with a Unfounded vulnerability that allows such an attack.
These are simple applications that run on an operating system, and once a part of the malware is introduced into the latter, you can control the device in many ways. With a keylogger, or key logger, a hacker can see only one side of a conversation. But you can also take a screenshot of a user and see the entire discussion, regardless of the security precautions built into the application you are using.
«End-to-end encryption» is a marketing device used by companies like Facebook to reassure consumers who distrust cibervigilancia in a false sense of security.
The struggle between technology companies that promote end-to-end encryption as a way to avoid government espionage and state agencies that protest its use is a smokescreen. Government and private hackers work frantically on new methods for deploying system-wide, OS-privileged malware. Companies like NSO are at the forefront of this important work, which can help catch terrorists and prevent attacks, or imprison dissidents and disrupt revolutions against dictatorial regimes.
It is likely that the WhatsApp episode will further the reactions against NSO and the export license that he owns from the Israeli government to sell Pegasus. But if this particular company stops developing the malware, others will take its place.
The harsh truth for activists and journalists who need safe messages is that the more technology experts are, the safer they can make their digital communications. One can, for example, encrypt messages on a non-networked device before sending them over the phone. But even that would not guarantee complete security as the answers could be stolen through a screenshot.
Truly secure communication is only possible in the analogue world, and then all the old-school espionage techniques are applied.
The content poured in this opinion column is the sole responsibility of its author, and does not necessarily reflect the editorial line or position of the counter.