Are you switching to Signal?

For some years now almost the entire world has been using WhatsApp thanks to it being the leading secure messaging platform. However, that is all changing  due to a slowness on the part of its owner Facebook to introduce multi-device access.

Zak Doffman comments that this has been made worse by “the fast-moving convergence of messaging and calls—and with WhatsApp calls still tied to a phone, rather than an easier-to-use large screen device, it’s becoming a major stumbling block.”

Facebook tried to rectify this by launching the cross-platform Messenger Rooms, but these don’t offer end-to-end encryption. So, as Doffman says, it isn’t an ideal way to communicate if your information is sensitive or confidential.

Admittedly, WhatsApp does do a good job of securing voice and video calls from its iPhone and Android apps, and you can now have up to eight people on a call. It also has a desktop app in the pipeline, but it’s all a bit too late.

The super secure Signal platform is beating WhatsApp. It has already started beta testing one-to-one video and voice calls from its desktop app. Group calls are not available yet, but they won’t be far away, as Signal’s recent announcement would seem to indicate: “We think that calls need to zoom out of the past and into the future, and your feedback will help us get there.” Obviously this was aimed at Zoom, which dominated work and personal conversations during lockdown.

“This release is one of the first steps towards our goal of enabling secure voice and video calls that are available on all of your devices,” Signal says, adding, “in addition to being end-to-end encrypted and free for everyone to use.”

However, Doffman points out that Signal isn’t really that concerned about Zoom,  it is WhatsApp that is the real target. And it is picking up traction with those who don’t really trust Facebook for messaging. The only downsides of Signal at the moment are first, the number of users is relatively small at the moment, and second, there are no backups yet, so if you lose your device, you lose your messages.

The recent protests in the USA and Hong Kong have highlighted the need for a more secure messaging by anyone concerned about interception, metadata or tracking. What’s more Signal is chasing WhatsApps users and is ahead of the game. If WhatsApp wants to retain its No.1 position, it needs to implement end-to-end encrypted back-ups and linked devices. Not used Signal yet? Why not install it on your phone and try it now.

What’s up with Whatsapp?

Image result for whats app

You may have seen the numerous press articles this week advising you to update your Whatsapp. The advice came from Whatsapp, which has 1.5 billion users and is owned by Facebook.

The reason for asking people to update the app on their smartphones was the discovery that hackers had been able to remotely install surveillance software on phones via a “major vulnerability” in the app. According to the BBC, WhatsApp said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber-actor”.

Facebook discovered the flaw in the technology earlier this month. It threatened to break Whatsapp’s promise to its users of being a secure” communications app with messages that are end-to-end encrypted. This means they should only be displayed in a legible form on the sender or recipient’s device. However, the surveillance software would have let an attacker read the messages on the target’s device.

The Whatsapp team found a fix for the problem last Friday, after which people could download the new app without the ‘bug’, although some users appeared to be disgruntled that Facebook hadn’t published any notes about the fix itself.

It is likely that those whose phones may have been targeted by the hackers are “Journalists, lawyers, activists and human rights defenders,” Ahmed Zidan of the Committee to Protect Journalists told the BBC.

How did hackers use the security flaw?

One thing they did was use Whatsapp’s voice call function to ring a target’s phone. Even if the target didn’t answer the call, the surveillance software was installed on their phone. Furthermore, the call was removed from the call log, so the person who didn’t answer it, wouldn’t even see that they had missed a call from an unknown number.

Facebook and Whatsapp told the press on Monday: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.”

It also issued a briefing to security specialists stating, “”A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”

The attack was old-fashioned

As Professor Alan Woodward pointed out, this is a “pretty old-fashioned” method of attack. He explained what happened: “A buffer overflow is where a program runs into memory it should not have access to. It overflows the memory it should have and hence has access to memory in which malicious code can potentially be run. If you are able to pass some code through the app, you can run your own code in that area. In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work.”

We don’t know how many people were targeted in this attack, and there are some questions that remain to be answered about whether updating the app on your phone effectively removes the spyware in its entirety. Furthermore, WhatsApp has not said whether the attack could extend beyond WhatsApp and reach other personal data on the phone.

But, even if you are not a journalist, a lawyer or a human rights activist, download the new version of the app, because as always it is better to be safe than sorry.