WhatsApp, Mobile E-Banking & Co. – How to play it safe

The security breach at WhatsApp caused turmoil, and not just among experts, but also for private individuals. This means that cyber security is no longer just an issue for companies, but for all of us. Our cyber security experts will explain to you how the WhatsApp hackers went about it and how you can make your smartphone secure!

Last week, it became public that WhatsApp, the instant messaging service provider, had been hit by a serious security breach (see also our Chief Consulting Officer, Franco Cerminara, being interviewed for the Tele1 News). The breach allowed attackers to execute code on the user's smartphone without the user being involved. The attacker only had to call the victim  it couldn't be simpler! The attacker uses a vulnerability in the implementation of the VoIP signalling protocol SRTCP (Secure Real-time Transport Control Protocol) from WhatsApp. This allowed them to transmit a malcode without even a call being answered. The operator of WhatsApp, Facebook, has issued a warning and instructed users to update the app immediately.

The people pulling the strings behind the WhatsApp breach

The vulnerability (CVE-2019-3568) is very complex. It is presumed to have been developed by the israeli company NSO Group to enable its customers to install Pegasus surveillance software on target devices. NSO states that it only licenses its own products to governments and does not select targets for attacks itself. NSO software is used, for example, to monitor suspects from the world of terrorism or organised crime. The Citizenlab vulnerability was also discovered in the same way. Citizenlab is a canadian organisation that campaigns for civil rights. As Citizenlab has revealed, various human rights activists (including Amnesty International) have clearly been victims of these attacks.

Cyber security for smartphones? We have 6 tips to help you

After the vulnerability became public knowledge, Facebook immediately released a security patch for Android (version 2.9.134) and iOS (2.19.51). Check with your co-workers to see if the latest version of WhatsApp has been installed. If not, you need to update devices urgently. The vulnerability can be rated as being critical, when you consider how widespread WhatsApp is and not just in private life.

Irrespective of the current WhatsApp hack, the secure use of mobile devices by employees is a difficult thing for companies to control. An important factor here is that their use for personal and business purposes is becoming more and more blurred. What many people don't realise is that for hackers, smartphones are ideal devices for spying on people. What in reality are "high-performance computers" are equipped with various sensors (camera, microphone, acceleration sensor, GPS localisation, etc.) and they can connect to the Internet almost anywhere. This was also pointed out by the renowned cyber security guru Bruce Schneier at the InfoGuard talk last year.

This means that it is important for your employees to learn how to use smartphones securely. This way they are not only protecting their own privacy and security, but also the company's privacy and security. What needs to be taken into account when handling smartphones & co. in a secure way? We have put together for you the 6 most important tips:

  1. Regular updates: Make sure that you and your employees' mobile devices are regularly configured with the latest software (OTA or Over the Air updates). "Automatic updates" should also be enabled on your mobile devices.

  2. Protect access: On one hand, mobile devices should be protected with a password, a fingerprint or a PIN code. On the other hand, on newer devices, you should also activate the integrated data encryption. You can check this in the settings and change it where necessary. This means that data cannot be read automatically if the device is lost.

  3. Secure use of apps: Installing apps represents the greatest security risk. Particular care should be taken with Android devices. Google allows you to install apps that do not originate from the official Google Play Store and have therefore not been checked. This enables dangerous third-party apps to be installed. Hence the function "Allow installation from insecure sources" (or similar) should be deactivated on Android phones.
    But you should also be careful with apps from the official stores. It is also even possible here that malicious programmes are discovered very belatedly. Common sense plays a central role here. Always check the rating of the app you want to install and read the comments. This allows you to assess more accurately whether the app is safe or not.

  4. Controlling app permissions: As soon as an app wants to access smartphone functions, this must be approved by the user at the time the app is installed. However, you can check and adjust these permissions in your settings at any time. For example, if you are worried that an application may have access to your personal files or the microphone, delete the permission. As a rule, the app will continue to work as usual and will respond as soon as permission is required.

  5. Secure use of Internet and e-mail: Basically, a smartphone is nothing more than a mini-computer, and as with conventional computers, the majority of dangers lurk on the Internet, so surfing the web with a smartphone runs the same risk. Also, be careful when opening e-mail attachments and don't be taken in by phishing e-mails. You can find tips for protecting yourself against phishing in our free phishing poster.

  6. Secure charging: Using suitable devices, law enforcement authorities can read the data when you are charging a smartphone. So can criminals! This is why great care must be taken when using public charging stations. You don't know whether the USB interface in the wall really just transfers power, or whether there is a readout device behind it. That’s why we advise you to use only your own genuine charger  or otherwise to use what is known as a "USB condom" inserted between your mobile device and the USB port. This will prevent inadvertent data exchange.

The magic word in cyber security is security awareness

As you can see, the danger is lurking everywhere, and an employee's private mobile device can quickly become a security risk for your company. Of course, employees don't deliberately fall victim to cyber attacks. They often simply do not know the right way to behave. Change this and make your employees aware of the issues of security awareness.

InfoGuard can offer you security awareness training courses that, among other things, teach you how to use smartphones securely. Be it workshops, e-learning courses, live hacking or internal awareness communication, our experts will help you and all your employees to make your company a more secure place!

Our Security Awareness Services

<< >>

Security Awareness , Cyber Risks , CSIRT

Stefan Rothenbühler
About the author / Stefan Rothenbühler

InfoGuard AG - Stefan Rothenbühler, Principal Incident Responder

More articles from Stefan Rothenbühler

Related articles
Cyber Security Blog

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media