WhatsApps End-to-End Encryption Is a Gimmick

(Bloomberg Opinion) -- The discovery that hackers could snoop on WhatsApp should alert users of supposedly secure messaging apps to an uncomfortable truth: End-to-end encryption sounds nice but if anyone can get into your phones operating system, they will be able to read your messages without having to decrypt them.

According to a report in the Financial Times on Tuesday, the spyware that exploited the vulnerability was Pegasus, made by the Israeli company NSO. The malware could access a phones camera and microphone, open messages, capture what appears on a users screen, and log keystrokes rendering encryption pointless. It works on all operating systems, including Apples iOS, Googles Android, and Microsofts rarely used mobile version of Windows.

The cybersecurity community has known about it for years, and activists have been raising hell about its use against dissidents and journalists in dozens of countries although NSO itself says it doesnt sell Pegasus to unsavory regimes and that it is disabled in the U.S.

It was previously assumed that for Pegasus to work, the intended victim had to click on a phishing link to install the malware. But according to a brief technical description of the hack posted by WhatsApps owner, Facebook Inc., it now appears hackers can install the malware simply by calling the target.

This isnt the first vulnerability of this kind to be discovered in a supposedly secure messaging app. Last year, Argentinian security researcher Ivan Ariel Barrera Oro wrote about a flaw in Signal, an app favored by Edward Snowden. In that case, a hacker could send a specially crafted internet address in a Signal message and it would download the malware.

Its important to realize, however, that spyware that can install itself without any action on the users part can arrive through any channel, be it an encrypted messenger, a browser, an email or SMS client with an undiscovered vulnerability allowing such an attack.

These are merely applications running on top of an operating system, and once a piece of malware gets into the latter it can control the device in a multitude of ways. With a keylogger, a hacker can see only one side of a conversation. Add the ability to capture a users screen, and they can see the full discussion regardless of what security precautions are built into the app you are using.

End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.Encryption is, of course, necessary, but it's not a fail-safeway to secure communication.

The tug of war between tech firms touting end-to-end encryption as a way to avoid government snooping and state agencies protesting its use is a smokescreen. Government and private hackers are working feverishly on new methods to deploy malware with operating system-wide privileges. Companies such as NSO are at the forefront of this important work, which can help catch terrorists and prevent attacks or imprison dissidents and disrupt revolutions against dictatorial regimes.

The WhatsApp episode is likely to increase the backlash against NSO and the export license it has from the Israeli government to sell Pegasus. But if this particular firm stops developing the malware, others will take its place.

The hard truth for activists and journalists in need of secure messaging is that the more tech-savvy they are, the safer they can make their digital communications. One can, for example, encrypt messages on a non-networked device before sending them out through ones phone. But even that wouldnt guarantee complete security since responses could be screen-captured.

Truly secure communication is really only possible in the analog world and then all the old-school spycraft applies.

(Updated to clarify uses of end-to-end encryption in eighth paragraph.)

To contact the author of this story: Leonid Bershidsky at lbershidsky@bloomberg.net

To contact the editor responsible for this story: Edward Evans at eevans3@bloomberg.net

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Leonid Bershidsky is Bloomberg Opinion's Europe columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.

For more articles like this, please visit us at bloomberg.com/opinion

2019 Bloomberg L.P.

View original post here:
WhatsApps End-to-End Encryption Is a Gimmick