The WhatsApp hack is not the first, and will not be the last time that supposedly “invulnerable” encrypted systems prove to be anything but.
In all such cases it’s useful to remember the showdown between Apple and the FBI after Syed Rizwan Farook launched a terror attack in California in 2015 with Tashfeen Malik, killing 14. The Feds wanted data on his iPhone but couldn’t crack the security to get in. Apple wouldn’t help. A bust up ensued. But just as quickly it went away. Suddenly, the Feds didn’t need Apple. They’d found their own way in.
Or, at least, someone else had found a way in and was prepared to sell it to them (for $900,000). And that company was Cellebrite, an Israeli cyber arms firm, and one of the extraordinary cluster of digital security startups emerging from the Israeli military, the IDF.
You don’t hear about bust-ups between the US Federal government and Apple anymore. That’s because Cellebrite can reportedly hack its way in more or less any phone, including the latest models like the iPhone X, and is quite happy to do so for a fee. At the end of 2017, it did just that in the case of a suspected arms dealer detained by the FBI.
NSO - the group believed to be behind the WhatsApp hack - has form too, and like Cellebrite, is Israeli-based (though American and British owned). In 2016 it was revealed to be behind incredibly sophisticated spyware which could install itself on any iPhone, merely through a tap on the screen.
Now it has gone one better, getting past WhatsApp’s famed security simply by placing a call to a device - and one that didn’t even have to be answered.
The remarkable thing is not that such capability exists. Rather, the remarkable thing is that any of us should be surprised. Israeli military hackers, after all, were a key part of the Stuxnet cyber attack that derailed Iran’s nuclear programme. Getting into supposedly hyper-secure systems is their job.
For many years, government intelligence agencies worldwide have complained that the modern encryption techniques routinely available in apps and smartphones represents a major national security threat.
In 2017 the technical director of the National Cyber Security Centre, Ian Levy, and technical director for cryptanalysis at GCHQ, Crispin Robinson, went so far as to propose a backdoor for the government to listen in on chats and message conversations otherwise protected by “end-to-end” encryption, such as those on WhatsApp.
And no doubt such systems do pose real difficulties. But reinforcing the "impossible to crack" narrative may also help keep suspects complacent - tapping out messages they think no one else can see.
What today’s revelations make clear is that there are always workarounds. Nothing is truly secure, because human design teams are not utterly infallible. What endures is, as always, the cat and mouse race to craft an advantage - and exploit it.