WhatsApp Vulnerability: What you need to do
WhatsApp has confirmed that a vulnerability in its app could allow hackers to take control of victims' phones just by sending an unanswered voice call.
Dozens of WhatsApp users including human rights organisations and a UK-based lawyer may have been targeted in the attack.
The attack was only used against "a select number of users" according to WhatsApp, but it could be adopted more widely unless people update their version of the app.
What do you need to do?
Although it is extremely unlikely that you have been targeted by these hackers, you should update your version of WhatsApp.
On an Android device, you can do this by visiting the Play Store app. Tap menu, before entering the my apps & games section. If you're not already on the most recent version of WhatsApp you can tap update.
On an iPhone, you can do this by visiting the App Store. Search for WhatsApp. Again, if you're not already using the most recent version you can tap update.
How can you safeguard against it?
The attack is being considered extraordinary by cyber security professionals.
This is not just because it targeted lawyers, who are not usually national security targets and whose communications with those targets - at least in many common law countries - are privileged.
It has caught their attention because there was no way to safeguard against it - not even by training users to spot the dodgy message.
Often cyber attacks require some kind of user input to succeed, whether the user clicks "allow" or "yes" on a pop-up, or follows a link, or downloads and executes a malicious file in a phishing email under the impression that it is innocent.
However, the WhatsApp attack was what was known as a "no-click" attack, meaning there was no user input needed at all - the hackers could just send the voice call, and even if it was not answered, gain access to the target's phone.
The only protection is to update the version of WhatsApp.
Is this related to the forwarding limit?
WhatsApp introduced a forwarding limit this year to tackle the spread of fake news.
The current bug has nothing to do with these changes and was caused by a "buffer overflow" vulnerability in the Secure Real-time Transport Protocol (SRTP) used by WhatsApp - essentially a mistake in the way the program handled using computer memory.
It is not known exactly how the exploit worked, but it is believed that malicious code may have been included in the details which are sent to a receiver's phone when a user makes a WhatsApp call, such as the caller's name and number.
Who did this?
WhatsApp stated that "a select number of users" were targeted by an "advanced cyber actor", which the Financial Times has identified as the Israeli technology company NSO Group.
NSO Group claims its technology, known as Pegasus, is only used by intelligence and law enforcement agencies.
Critics of the firm, including human rights organisations, have claimed that many of the state agencies it works with are repressive and often target their lawyers and activists.
How did it happen?
Organisations involved in the production of hacking tools - known as "dual-use technologies" because they can have both civilian and military uses - often hire security researchers to identify vulnerabilities in popular software and develop tools to exploit them.
Last November, UK intelligence agency GCHQ revealed its process for identifying these vulnerabilities and figuring out whether to inform the company that produces the software to get them fixed or whether to exploit them to hack the computers of national security targets.
The export of these technologies is heavily regulated and Amnesty International is currently taking the Israeli ministry of defence to court to challenge the NSO Group's export licenses.
How do you know if this attack has affected your phone?
There is currently no way to tell if this has affected your phone. However, the attack is expensive and it is unlikely - at the moment - to be carried out by commodity criminals.
According to Citizen Lab, software believed to have been developed by NSO Group has been used to target and persecute political dissidents, human rights defenders, opposition politicians and journalists in 45 countries.