What’s up with WhatsApp Cybersecurity?
Consumer-grade mobile applications have recently enjoyed excellent cut through, be it in the consumer world or the business world. Many have taken over from traditional productivity and communication tools used by corporate employees. Chief amongst these is none other than the Facebook-owned cross-platform messaging and voice over IP (VOIP) service – WhatsApp.
But what about WhatsApp’s cybersecurity? Should CISOs, IT Leaders, and Information Risk Managers be concerned about WhatsApp? And what is the scale of the WhatsApp cybersecurity challenge?
The mega-app has relished sensational uptake across the globe (save China where WeChat is distinguished and preeminent). Usage statistics for WhatsApp are a moving target, especially as Facebook tends to lump WhatsApp statistics together with Facebook Messenger. However, one can be reasonably certain of the following eye-watering figures:
- Number of users: 1.5 billion
- Number of daily users: 1 billion
- Daily messages: 65 billion
- Daily voice calls: 100 million
- Daily video calls: 55 million
WhatsApp cybersecurity is undoubtedly a challenge whenever these messages, calls, and videos include any sensitive or private information. The possibilities are many.
WhatsApp for Business
Early in 2018, Facebook launched the WhatsApp for Business API, in an effort to begin monetising its significant user base. WhatsApp for Business is a consumer-facing version of WhatsApp that enables businesses to communicate with their consumers. Consumers are also able, in this way, to circumnavigate call centres and reach out to enterprises, without the wait or hassle involved in making an actual call. To be clear: today’s discussion focusses on WhatsApp; the private messaging platform, and not WhatsApp Business. Although I will in future blogs cover IT integration, infrastructure, management and operational risks associated with scaling your consumer-facing communication over applications of this kind. I will also discuss CISO as a Service, for organisations that do not have deep cybersecurity expertise facing challenges such as WhatsApp cybersecurity.
WhatsApp has often and loudly proclaimed its much vaunted end-to-end encryption technology. And to good effect: even notionally security-sensitive individuals such as Boris Johnson, the UK’s previous foreign secretary, use WhatsApp professionally. Mr. Johnson last year made headlines when a WhatsApp message he sent was leaked to the media. But even the best encryption does not prevent many of the WhatsApp cybersecurity challenges that face business. A screenshot or photograph of valuable company information can easily be taken and shared with anyone in the world. This was also highlighted by the recent Australian Federal Government leadership spill, where a conversation about Julie Bishop’s leadership was screenshotted and leaked.
WhatsApp Business Users
On a more prosaic level, the app has been a boon for business travellers seeking to avoid high text and roaming charges in foreign countries. The typical WhatsApp business user is not concerned about WhatsApp cybersecurity, but is seeking convenience. WhatsApp’s group chat feature attracts co-workers and project teams who use it to quickly update each other during the work-day. Business users report gravitating towards WhatsApp for inter-company communication due to its swift, informal style and simple interface – when compared to email. Some WhatsApp groups demonstrate how immediate and valuable this form of messaging can be. The Financial Times reports on a study that describes how emergency surgical teams using WhatsApp found the chat group flattened the hierarchy, allowing junior trainees to access more experienced clinicians, who provided swift and accurate support and supervision in a crisis. However as always, the downside of speed is higher risk – and speed of communication increases the WhatsApp cybersecurity issue.
The Dark Side of WhatsApp
This informality can also be a problem – and creates business problems outside of just WhatsApp cybersecurity. Employees, feeling more at ease with the system are less likely to impose a professional degree of self-censorship. For example, last year the UK’s financial regulator, the Financial Conduct Authority, fined Christopher Niehaus, previously an MD at Jefferies bank, over £37,000 for a WhatsApp message. He passed confidential client information to a “personal acquaintance and a friend” over WhatsApp to “impress”. This type of “casual oversharing” has seen many banks, including Goldman Sachs and Deutsche Bank, banning the use of WhatsApp on company-owned mobile devices. There is also mounting evidence that work-based WhatsApp groups have a “dark side”. Functioning often as virtual water coolers, some corporate WhatsApp groups increasingly feature cyber-bullying, oversharing, undermining of management and the airing of workplace grudges. While some of these are clearly issues related more to HR, should these conversations for one reason or another become public, there are certain to be serious reputational consequences for the company involved. Additionally, if an employee’s or customer’s data is breached via these platforms, General Data Protection Regulation (GDPR) and the local Mandatory Data Breach (MDP) regulations come into full force.
Ensuring WhatsApp Privacy Compliance
I segue into a privacy issue, rather than strictly a security issue, but it is worth a brief discussion. Australia has a comparatively employer-friendly interpretation of privacy in the workplace. While an employee’s personal information must be carefully secured by employers (as per GDPR and MDPR), the data an employee shares over internet, email and other platforms at work, or while using an employer’s resources, belongs to the employer. A well-considered social media and messaging policy must explicitly denote this, and indicate that sharing any type of proprietary, sensitive, private or competitive information over WhatsApp should in the strongest terms be prohibited. For organisations that do not have an inhouse expert to create and enforce such policies, leveraging Cyber security as a Service is an alternative
Here is why WhatsApp is relatively easy to hack.
A host of spyware apps, designed specifically for WhatsApp, are available on both iOS and Android. In fact, they are as easy to acquire as purchasing them from the iTunes or the Play store! Marketed at concerned parents wishing to spy on errant teenagers, the spyware is in fact very powerful and can swiftly compromise a company-wide WhatsApp group chat when in the wrong hands. However these handy apps make for a WhatsApp cybersecurity minefield. Spyware such as MxSpy can be set up on target phones or devices in under 5 minutes. Should a competitor, saboteur or corporate spy have identified loose communications within a key WhatsApp group chat, they need only spend a few minutes with a target’s phone to load spyware. The spyware is designed to not only be invisible to the target, but will not be identified by any form of security software on the target’s phone. Once loaded, the WhatsApp chat can be observed from another device, this includes listening to phone calls and messages, downloading shared files and images, as well as downloading a full back up of all chats to date.
Permeable Group Chats
Wired reported early this year on a fairly sizeable flaw in WhatsApp’s group chat facility. Researchers from the Horst Gortz Institute for IT Security at Ruhr-University Bochum, in a paper titled More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, zeroed in on the vulnerabilities presented by group chats across WhatsApp, Signal and Threema. The team uncovered significant gaps specifically in WhatsApp’s group chat security. It turns out that while WhatsApp’s one-to-one chat security is more or less watertight, from a group chat perspective there are some issues. Anyone with access to WhatsApp’s servers could easily insert new users into private groups, without the permission of the administrator who notionally manages access to the group. While it would certainly take a degree of sophistication to hack WhatsApp’s servers, the principle of end-to-end encryption is now invalid. End-to-end encryption should mean that every server partaking in the process also has no visibility of the data – with WhatsApp this has been shown not to be the case.
If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption
Matthew Green, cryptography professor, Johns Hopkins University
The problem is simple: while only a WhatsApp group admin can invite new members, there is no authentication mechanism for that invitation. Therefore, with access to the WhatsApp server, a new member can simply be inserted into the group, free to view all future messages. Fortunately, the bug does not allow the interloper access to previous chat messages. The researchers alerted WhatsApp to the group chat security flaw, however the company was at best sanguine: claiming the group invitation bug found by the researchers was “theoretical” and not serious enough to qualify for Facebook’s “bug bounty”.
This year Facebook and Google announced a deal that allows Google users to back up their WhatsApp content to their Google Drive, without it counting towards their storage limit. However, the process also invalidates WhatsApp’s claim of end-to-end encryption. While messages, files and images are secure on your device, once the backup initiates, and the data moves to Google’s cloud servers, its safety is no longer guaranteed. To their credit, WhatsApp did clarify this vulnerability at the launch of the backup service.
WhatsApp’s end-to-end encryption does also not defend against phishing and user error. In August this year, Amnesty International reported being hacked via WhatsApp. An activist received a fake WhatsApp message asking for support, the message came with a link assumedly giving more information on the project. Amnesty International’s cyber security team uncovered malicious software at the website, aimed at penetrating the organisation’s database. While fortunately contained, the malware could have exposed the details of political exiles, activist refugees and sensitive Amnesty International projects.
WhatsApp is a Compliance Nightmare
You may have heard your IT department complaining about “Shadow IT”. Shadow IT occurs when employees turn to software and applications not provided, or explicitly regulated, by your firm’s IT department. Back in 2015, a Cisco report showed that businesses were using 20 times more unapproved cloud apps than they thought. While most app usage in this regard is benign: employees are simply seeking swifter tools with which to do a better job, the emergence of strenuous privacy regulations such as GDPR and MDPR make managing these types of applications unambiguously a business issue. Here’s the problem: WhatsApp is invisible to your IT department. As a business, you are still liable for the security of the information being shared, yet your IT infrastructure has no insight or control.
Mapping the Minefield
It would be extraordinarily self-defeating for a company to resist applications that foster better internal communications and improve customer engagement. However, with the protean swarm of emerging consumer-grade applications arriving daily via your employees’ personal devices, you need to afford your IT department the very best opportunity at visibility and control, with a view to airtight compliance. WhatsApp, and similar applications such as Slack and Skype for Business, are supplanting email and telephone, and delivering agility, fluidity and speed that can often define commercial and competitive advantage. On the other hand, an increasingly draconian regulatory environment imposes significant financial risk on companies that don’t take sufficient responsibility for the data they gather, store and send. A classic dilemma: how to optimize profitability while ensuring airtight compliance and security?
Lowering the WhatsApp Cybersecurity Risk
The key to resolving this dilemma is foresight, proactivity and planning. The aim is a cybersecurity approach that strategically aligns with your business objectives. From experience, I can say that this process requires ongoing consultation with committed cybersecurity partners, who have taken the time to understand how you do business. CISO as a Service or internal Information Security experts are a must, to undertake this planning and ensure business is conducted at lower risk.
A complete audit of your company’s information eco-system is an excellent place to start. By gaining an honest snapshot of the tools that are, and are not, being used, by whom, on what devices and why will give a bird’s eye view of how information is processed in your business. From there it is essential that the cybersecurity risks are mapped by network, server, device and user. Thereafter, through deep consultation with both C-suite and management teams, a vigorous, business-centric cybersecurity plan can be established, tested and deployed.
If done right, a tailored cybersecurity plan can contain and manage the risks of essential consumer-grade productivity apps and communication tools such as WhatsApp, without sacrificing efficiency or commercial advantage.