A report by the Financial Times released this week signalled that an exploit dealer had successfully found and was actively selling a nasty remotely executable WhatsApp bug. This exploit code, in conjunction with nation-state level malware, would lead to a full remote device compromise: providing access to messages (even encrypted) via keylogging, pictures, location and more. Unfortunately while this same company supposedly "only sells to law-enforcement or intelligence agencies" it is not hard to extrapolate and imagine this exploit code being sold to anyone with a resourceful network. Rumours persist that this malware has been found targetting journalists and human rights activists. Copperhead is a company that specialises in protecting our users from these very threats, no matter their employment or network, and thus we must stay vigilant in staying ahead of the exploit industry. Though we have the industry insight regarding the latest mobile threats other organisations may not and that's precisely why we must be careful what information we consume and share.
News reports released this week revolving around the WhatsApp bug unfortunately signalled that end to end encryption is largely pointless. The report was eventually modified, and though we understand journalists are on a tight timeline, it's important for us to all band together and help correct the spread of misinformation. Signalling to NGOs, activist groups, journalist or potentially low-resourced organisations without active technologists that end-to-end encryption is pointless or a product funded by a government is compromised only harms their operational security. If we're telling organisations to "Use Tor and Use Signal", we can't contradict ourselves when a new vulnerability or information comes about - and they WILL come out. The zero-day industry is ever growing and it's hard to match their levels of resourcing on the defending side. We must protect ourselves and each other by ensuring we amplify only accurate information.
WhatsApp is used by upwards of 1.5 billion people every day. This is a staggering number considering how far reaching this exploit could affect the everyday lives of people. When 1.5B people are using an application that has certain parts of the code hidden from public view they are potentially putting themselves at risk. Experts agree: If your organisation is possibly dealing with high-resourced attackers use Open-Source tools that are routinely audited.