One of the sometimes overlooked aspects of Facebook's success is its remarkable string of acquisitions and mergers. Picking up companies like Gowalla, Instagram and WhatsApp has strengthened Facebook's technological base while broadening its reach in mobile and messaging. The WhatsApp acquisition from early 2014, for example, gave Facebook a platform that has since grown to 700 million monthly active users and become a full-fledged replacement for SMS on many phones.
WhatsApp's cyber security history: The stakes for getting encryption right
Facebook and its properties provide interesting cyber security case studies if only because of the social network's vast scale. More than 70 percent of online adults visit Facebook at least once per month, and worldwide there are over 1.3 billion active monthly Facebook users. Given such size, cyber criminals have naturally sought to use Facebook as an enabler of phishing and social engineering campaigns, as outlined in the Trend Micro document, "5 Reasons Why Social Engineering Tricks Work."
For acquired companies like WhatsApp, becoming part of the vast Facebook ecosystem has accordingly necessitated increased attention to cyber security. In 2012 and 2013, WhatsApp made headlines not only for its rapid growth, but also for its occasionally sloppy approach to security mechanisms such as message encryption:
- In 2011, a loophole was found in WhatsApp's signup process that allowed for devices to receive messages even if the initial verification text message was not replied to. There was also evidence that the iOS version of the app used Port 5222, which is commonly utilized by XMPP services, rather than Port 443, over which encrypted traffic often passes.
- In 2012, a test app called WhatsAppSniffer demonstrated how WhatsApp relayed messages in plaintext at the time. Anyone connected to the same Wi-Fi network as a WhatsApp user could have theoretically intercepted their transmissions and seen text messages as well as photos.
- WhatsApp scored only a 2 out of a possible 7 on the Electronic Frontier Foundation's security scorecard for messaging apps, which assessed many popular services for compliance with seven criteria. It received a check mark/pass rating for in-transit encryption and recent code audit, but an "X"/fail mark for encryption against provider inspection, identity verification for contacts, security documentation, safety in the event of an encryption key being stolen and openness to independent review.
- A security researcher and cryptographer found a possible vulnerability in WhatsApp message encryption on Android in late 2014. Essentially, use of the xor mathematical operation could be used to figure out the plaintext components of an encrypted payload between phone and server.
- The 2015 introduction of a Web client for WhatsApp opened up new concerns about message privacy. The Web service has been touted as syncing with all conversations on the account holder's phone, but in some cases messages and photos that were deleted or restricted to certain audiences on the mobile app had not been properly updated on the Web client.
Scams also make WhatsApp users vulnerable to malware and surveillance
Furthermore, around the time of the Facebook acquisition of WhatsApp during the winter of 2014, Trend Micro researchers discovered a spam campaign advertising the testing of a desktop Microsoft Windows and Apple OS X client for WhatsApp. The incident was a classic case of using current news – the acquisition made headlines for its staggering $19 billion price tag – to make a phishing effort more convincing.
A link embedded in WhatsApp messages that purportedly directed users to the desktop client actually installed a Trojan. The Trojan was designed like banking malware to look through the infected system for usernames and passwords that could then be used to hijack online accounts.
More recently, a similar scam has popped up, this one touting the introduction of long-rumored voice calling features to WhatsApp. This scheme revolves around messages to WhatsApp users asking them to test or unlock voice calling features by taking surveys and/or inviting others from their contact lists. Clicking any of the links in these messages only leads to ad-filled webpages and possibly downloads that could compromise the system.
Voice calling on WhatsApp can currently only be unlocked by receiving a call from someone who already has the feature enabled. The scams making the rounds right now are more deceptive than directly harmful, but WhatsApp users should be on the lookout for them all the same.
WhatsApp takes key steps toward shoring up security
To its credit, WhatsApp has recently worked to implement end-to-end encryption through a partnership with Open Whisper Systems. In light of how many billions of messages WhatsApp sends per day and its hundreds of millions of active users, it is safe to say that this effort would rank as one of the largest deployments of end-to-end encryption in history.
To CIOs and their teams, the ongoing cyber security challenges facing WhatsApp may seem like a problem that only affects consumers and has limited implications for enterprises. However, WhatsApp is emblematic of the types of applications that many workers now routinely use in the workplace as alternatives to email or company-approved solutions.
A 2014 Cloud Security Alliance survey found that more than 70 percent of enterprises wish to but do not know the scope of shadow IT within their organizations. Shadow IT can encompass any services and applications that are used without the approval or oversight of IT. Consumer cloud services like Facebook, Twitter and YouTube ranked as the most common non-enterprise applications that employees use.
Usage of social networks and messaging apps has naturally risen alongside the growth of bring-your-own-device initiatives, especially for phones and tablet. With BYOD in place, devices with apps like WhatsApp installed are increasingly common on corporate networks, making their security vulnerabilities a pressing concern for teams.
Mobile and network security must be shored up against the threats of spam, phishing and malware infection. Using a comprehensive deep discovery platform can help enterprises sift through traffic in real-time to find and isolate anomalies. At the same time, clear BYOD policies and access controls can clamp down on unauthorized use of sensitive data.
