 |
| Image from Unsplash |
Last Monday, Dutch broadcaster NOS ran the headline: ‘Russia hacks WhatsApp and Signal of government employees, intelligence services say.’ Let me explain why I label this as ‘devaluation.’
First, a
reassurance: neither WhatsApp nor Signal has been hacked. At least, not if you
use the common meaning of hacking: gaining unauthorized access to a computer
system (not a formal definition, but the way I see it). In this case, the
computer system would be the service as provided by WhatsApp and Signal. Your
individual account is not the target.
Let’s
pretend for a moment that these chat services really were hacked. That would
mean a hacker had broken into their servers and done all sorts of things that
many people would not appreciate; all
– or at least many – customers would have been affected because their data had been
compromised.
But
that’s not what happened here at all. The actor (a polite term for perpetrator)
targeted individual accounts of specific types of officials. These people
received a message that appeared to come from Signal’s chatbot; it looked like
an official warning from the service provider about suspicious activity. It
also claimed that data might have leaked and that attempts had been detected to
access private information. You could prevent this, the message said, by
completing the verification process.
So what
is actually happening? The actor wants to log in to your Signal account. The
app then asks for a code, which is sent by SMS to the phone number Signal
knows: yours. The actor needs that code, and your self‑chosen PIN, to log in. Hence
the message they send you. The idea is to make you panic so that you quickly complete
the ‘verification process’, which really is a trap. If you fall for it, the
actor can take over your entire account and even change the linked phone number
to their own. They now have access to your contacts and can read new chat
messages (both one‑to‑one and in groups). They can even send messages as you.
You lose access to your account, but you can create a new one and get your chat
history back – because it is stored on your device.
Great, no problem, nice that they helped me so well, you might think.
In
another variant, they have you scan a QR code or click a link. They make you
believe you are being added to a WhatsApp or Signal group chat, but in reality
the attacker’s device becomes linked to your account. The actor can now see all
your chats, often including chat history. You notice nothing. In this attack as
well, they can read new messages and send messages on your behalf.
Now,
back to the term hacking and why I think it is being devalued. From the 1960s
onward, a hack was a clever technical trick in the (American) computer and
model railway club world, and a hacker was an exceptionally smart programmer.
In the 1980s, the term was used for people who conducted in‑depth research into
computer systems and networks. If they bypassed security, it was out of
curiosity and in order to test things. There were also crackers, their
malicious counterparts. From the 1990s onward, the distinction faded and
hackers came to be seen as criminals in general. See my personal definition
above.
The NOS
headline suggests that WhatsApp and Signal have been hacked, while the cyber
advisory from Dutch intelligence services explicitly emphasizes that this
is not the case. Apparently, NOS was reprimanded, or the editorial team
corrected the intern, because later that day the headline changed to:
‘Intelligence services: Russian hackers access WhatsApp and Signal accounts of
civil servants.’ And the article gained a paragraph titled: ‘No breach in the
messaging service itself.’ In the original version, ‘hacking’ seemed to refer
to pretty much all computer‑related trouble coming from the outside. As
described above, the term was already significantly devalued, but this was simply
misleading.
What
actually happened here is called social engineering. In this technique, it is
not the computer but the human behind the computer that is attacked. If they
succeed in getting you to share a code or scan a QR code, their mission is
accomplished. Social engineering is also known as hacking the human – which, ironically, is accurate.
And in the big bad world…
- Trolls
are influencing our elections.
[DUTCH]
- Pro‑Iranian hackers have attacked the medical technology company Stryker.
- Many video doorbells store their recordings for too long. [DUTCH]
- European digital sovereignty is no longer just talk.
- IoT devices are not supposed to log in as admin.
- Cybercriminals also make use of AI – just like their adversaries.
- The automotive sector is the next victim of ransomware gangs.
- A U.S. government employee took data on a USB stick to his new job.
No comments:
Post a Comment