The WhatsApp hack teaches us an important security lesson

You’ve probably heard about the WhatsApp hack by now, and hopefully you’ve updated your app. But the consequences of this vulnerability are wider-reaching than the security of your personal mobile…

What was the hack?

Hackers exploited a zero-day vulnerability in the most widely used messaging app in the world that allowed them to crack a user’s WhatsApp simply by calling them – regardless of whether the user answered.

Once placing the call, cybercriminals were able to install spyware that gave them access to calls, texts and control of the device’s camera and microphone functionalities. And because users didn’t need to answer the call to fall victim, it was unstoppable. Scary stuff.

Have I been affected?

If you haven’t received any WhatsApp calls, answered or unanswered, it’s very unlikely you’ll have been affected.

If you’ve received a WhatsApp call, particularly from an unknown number, there’s a chance you’ve been targeted.

How can I prevent myself from being hacked?

Update your WhatsApp app immediately. Facebook, the owner of the app, has confirmed that only the latest version of WhatsApp is safe to use in the wake of this hack.

You can do this by going into the App Store (Apple) or Google Play Store (Android) and checking your updates section. WhatsApp will show as a required update, and you can install the latest, safe version from there. Alternatively, you can search for WhatsApp in the app store and install. If you don’t see a prompt to install the latest version, you’re safe!

What can we learn from the WhatsApp hack?

This zero-day attack, which describes a flaw previously unknown to app or software developers, highlights the critical importance of keeping apps, software and even hardware up-to-date.

Continually updating apps on your phone is seen as cumbersome by some, particularly with developers releasing new versions every few days. But the reason they do that is to keep these hackers from finding holes in the software and exploiting new vulnerabilities.

What can I do to keep my business safe?

When taken into a business context, updates and patching should be at the top of your agenda.

We saw the devastating effects of ignoring this advice in May 2017 when WannaCry hit flagship organisations across the world including the NHS. The finger initially pointed at Windows XP, which the NHS and other affected businesses were running, but the true cause was that a critical Windows security patch hadn’t been installed. Windows XP was out of mainstream support, but Windows made the exception of creating a security patch for the operating system to specifically guard against this vulnerability.

A number of operating systems and hardware are retiring in less than a year, meaning they’ll also no longer receive critical security updates from Microsoft. Windows 7 will become end-of-life on January 14th 2020, leaving it in the same position as Windows XP. Startlingly, 17% of businesses using the ageing operating system aren’t even aware of its impending end-of-life. Given the flaw in Windows XP that was exposed by the WannaCry attackers, your business can’t afford to continue using an unsupported operating system.

Windows Server 2008 and 2008 R2 will also reach their end of life, and subsequent support, on January 14th 2020. This has bigger implications as businesses operating on these systems will require a wider hardware refresh and should take action as soon as possible. Additionally, leaving a server vulnerable could have wider-reaching consequences if hit by a cyberattack as it supports key applications and your network. If you have support with TSG, we’ll help you manage this transition and ensure you’re operating on modern, safe infrastructure.

This can all seem a bit overwhelming. That’s why we’ll be hosting a webinar on everything you need to know about these impending end-of-lifes. Watch this space!

Do I really need to do all of this?

In short, yes.

We’ve blogged a number of times on the importance of keeping software, hardware, operating systems and mobile apps updated, and the message is just as vital. Without important security patches and updates, cybercriminals can exploit vulnerabilities in a number of ways, from installing spyware to infecting machines and even entire business networks with malware such as ransomware.

It’s ultimately your own responsibility to keep your smartphone apps up-to-date to keep the hackers out, but it can be more difficult to manage in a business context. Microsoft security patches are released once a month and should always be applied immediately.

A recent survey from Sophos, TSG’s IT security partner, has indicated that many businesses are struggling to manage all aspects of IT. If your internal IT team is small or stretched to capacity, a managed IT services partner like TSG can step in to help. With managed security services, we can take care of your IT infrastructure and application environment by deploying critical patches, using innovative security tools to protect your business and monitoring any attempted attacks.

The WhatsApp vulnerability should be seen as a warning. This is what hackers can do to you if you don’t keep your software up-to-date. But it’s not just your personal or work mobile phone that can be infiltrated; if your business is running on outdated solutions, it’s just as vulnerable.