As news outlets report on yet another vulnerability impacting a popular application – in this case WhatsApp – it’s time that we ask ourselves: ‘With all the different methods we use to communicate for work, with friends and with family, which messaging apps can we really trust?’ Campbell Murray offers his views.
WhatsApp recently patched a flaw detailed in CVE-2019-3568 where a buffer overflow vulnerability “allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number.” Basically, an exploit of this vulnerability could allow a malicious actor to call a random WhatsApp number and plant spyware on the target’s phone.
Any app that works under the premise of accepting and acting on data from unknown and untrusted sources is a risk to end users.
One way in which consumers and enterprises can help guard against these types of attacks is having a closed ‘circle of trust’. This is something that BlackBerry’s end-to-end encrypted messaging platform provides. With BBM Enterprise, individuals and IT administrators control who they communicate with as an invite must be accepted before a message or call is sent or received. Enterprises can also require that all new contacts provide up-front manual proof of identity before any communication can occur.
Additionally, because BlackBerry doesn’t monetise data, BBM Enterprise will not ask for a phone number or suggest contacts to users, and nor will it desire to know where users are messaging from or what’s being shared. It’s private, secure, meets regulatory standards and the end user has total control over your data and who you communicate with.
What this means for Enterprises
Businesses should ensure employees are sharing sensitive data securely through the correct channels, and have controls in place to protect against malicious actors gaining access to that data via vulnerable applications.
As the digitisation of the workforce has gained pace, we’ve seen a rapid increase in the use of consumer applications in enterprise and public sector environments. Just last year, NHS England relaxed rules around the use of messaging apps, allowing doctors and clinicians to share personally identifiable information over WhatsApp and other consumer-grade tools.
As citizens, we should expect that the security of our private healthcare and financial information is held to a higher standard.
The benefits of being increasingly connected are vast. The possibilities range from connected devices making our homes more comfortable through to contactless payments for quick on-the-go financial transactions or even smarter, data-driven healthcare devices delivering more personalised levels of care.
However, without trust, the promise of the IoT will not be realised.
Building trust on three pillars
We’ve long recognised that trust is built on three pillars: security, privacy and control. This is why we build them into everything we do, whether enabling organisations to embed secure communications capabilities into apps or providing individuals with end-to-end encrypted messaging capabilities.
Unfortunately, exploits like the WhatsApp episode will happen again, which is precisely why enterprises and consumers need to ask themselves key questions: ‘How much is my privacy worth?’ ‘Am I doing everything I can to protect it?’ ‘Are the companies that collect and store my information doing everything they can to protect it?’
Campbell Murray is Global Head of Cyber Security Delivery at BlackBerry