Every once in a while a major bug, vulnerability or security scare will spark panic. In most cases, it’s absolutely unnecessary panic.
Take yesterday’s reported vulnerability. Israeli hacking outfit NSO Group, a developer of malware typically used by governments, was caught using a hack targeting WhatsApp that allowed the attackers to remotely spy on the victim’s phone. The exploit was almost invisible, according to Financial Times, which broke the story. The only indication that a phone might have been hacked is a missed call, often later deleted from the call log.
WhatsApp owner Facebook said it detected the hack and pushed out a fix to the app stores last night. WhatsApp didn’t mention the attack in its release notes, sparking criticism from some security experts for downplaying the risk of the vulnerability.
There was just one small missing piece of information from most reports: You probably weren’t a target.
Unless you’re a nuclear scientist or a government spy — or in this case a human rights lawyer — you’re probably not of any interest.
Exploits like the ones used in WhatsApp require a lot of time and effort to develop. They also have to be effective, undetected and reusable. Every time an exploit is used against a target runs the risk that someone finds out — the very opposite of covert surveillance.
“This attack was not about mass surveillance, it was used against highly targeted people,” said Alan Woodward, a computer science professor at the University of Surrey. “The likely cost and risks to those deploying this exploit means they would have used it only on very selective targets,” he said.
It’s becoming increasingly common to report hacks and breaches without offering context to the victims involved. Every time we report a security lapse, we try to contextualize it so confirmed or possible victims can take measures to protect themselves. The risk is if we don’t, it sparks panic and uncertainty. Worse, confusion leads to misinterpretation, which results in shoddy reporting and a misinformed public.
It’s sometimes called “hack porn,” where fanciful and obscure hacking techniques are covered like they’re drive-by downloads, or nation states are hacking everyone en masse. There’s no harm in reporting the information, but in a way that’s proportional to the risk posed to the possible victims involved.
“The general public should be aware, update the software, but certainly not rush to abandon the application,” said Woodward. “To their credit, WhatsApp found this almost invisible attack,” he said.
“No software is 100% secure,” said Woodward. “As long as you practice good security hygiene such as keeping your passwords secure and your apps up to date, the vast majority should be quite safe from this attack, even if you are a target.”
Yesterday’s news is a reminder that as much as sophisticated, nation state-backed hacks exist to target a fraction of the 1%, it never hurts to keep your apps up to date.
- Samsung spilled SmartThings app source code and secret keys
- Security lapse exposed a Chinese smart city surveillance system
- A leaky database of SMS text messages exposed password resets and two-factor codes
- Chipotle customers are saying their accounts have been hacked
- We found a massive spam operation — and sunk its server
- Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
- Stop saying, ‘We take your privacy and security seriously’
- Robocaller firm Stratics Networks exposed millions of call recordings
- Massive mortgage and loan data leak gets worse as original documents also exposed