Facebook exec and former deputy Prime Minister Nick Clegg has received criticism over comments suggesting that end-to-end encrypted messages sent via WhatsApp could not be hacked.
In an interview with the BBC, Nick Clegg said that he was “as sure as you can be” that “the technology of end-to-end encryption” “cannot be hacked into”.
Last week, The Guardian broke the news that Amazon CEO Jeff Bezos’s phone had been hacked in May 2018 when he received a malicious WhatsApp message believed to be from the crown prince of Saudi Arabia Mohammed bin Salman. Data was extracted from Bezos’s phone, but the contents of this is not known.
Nick Clegg was appointed Vice-President for Global Affairs and Communications at Facebook in 2018. WhatsApp was bought by Facebook in 2014 for $19bn.
In the interview with the Today Programme on Radio 4, Clegg said that in the case of Jeff Bezos, it “can’t have been anything when the message was sent in transit because that is end-to-end encrypted” and that “when it was opened on the phone something happened which affected the phone operating system”.
End-to-end encryption means that messages sent from one device to another cannot be intercepted by a third party while it is in-transit, as they require a cryptographic key to be decrypted. However, this does not mean that messages containing malicious content cannot be sent and attackers can still gain unauthorised access to devices.
Clegg went on to say that the “If someone sends you a malicious email, it only comes to life when you open it” however, cybersecurity professionals have warned that devices may become infected without any action from the users.
Last year, it emerged that a WhatsApp security flaw could allow attackers to gain access to users’ data on their device simply by making a phonecall through WhatsApp. The Financial Times said that the tool had been created by Israeli technology firm NSO Group.
Derek Weeks, Vice President and DevOps Advocate, Sonatype said that Clegg’s comments show “a lack of knowledge about both security and how modern applications are developed”:
“Nick Clegg’s assertion that Jeff Bezos could not have been hacked via WhatsApp because of its end-to-end encrypted messages shows a lack of knowledge about both security and how modern applications are developed. While end-to-end encrypted apps such as WhatsApp may profess to offer “security by default,” apps are only as secure as the software they’re built on.
He said that it is important for organisations to recognise that “end-to-end encryption alone is not enough”:
“Without proper software hygiene, companies risk building known vulnerabilities into their applications, which hackers are quickly able to exploit – as WhatsApp found out in 2019 with the “double-free” vulnerability. This incident demonstrated why “end-to-end encryption,” and traditional security measures, don’t automatically equate to secure by default. Until WhatsApp starts recognising that end-to-end encryption alone is not enough – and that true application security requires multiple layers of application security practices – it leaves consumers vulnerable to cyber-attacks.”