WhatsApp, the encrypted communications service used by both human rights activists and senior adviser Jared Kushner, has repaired a flaw that allowed an Israeli firm’s spyware to infect devices with a simple phone call, even if users didn’t answer.
The vulnerability, discovered earlier this month, is likely to increase scrutiny of data security at the White House, as well as at parent company Facebook, the social media giant questioned by Congress after the exposure of information on some 87 million users to Cambridge Analytica, a consultant on President Trump’s 2016 campaign.
“We are constantly working alongside industry partners to provide the latest security enhancements,” said a company spokesperson who urged users to update their app to take advantage of the patch. WhatsApp believes a select number of its users were targeted and has briefed human rights organizations about the risk and notified law enforcement, according to a person familiar with the matter.
[Opinion: Yes, Jared Kushner’s WhatsApp is a problem]
The White House didn’t immediately answer questions about Kushner’s use of WhatsApp, which House Oversight Committee Chairman Elijah Cummings, D-Md., said earlier this year had been confirmed by Kushner’s attorney, Abbe Lowell. The lawyer couldn’t say whether Kushner’s communications included classified information but said some of then involved people outside the U.S., Cummings wrote in a March 22 letter to White House counsel Pat Cipollone.
Trump told reporters afterward he knew nothing about Kushner, who is married to his daughter Ivanka, using encrypted apps to communicate with foreign officials.
WhatsApp analysis showed the attack bore the hallmarks of spyware from a private company contracted by governments to access digital phones, according to the person familiar with its response. The Financial Times identified the company as NSO Group, based in Herzliyah, Israel, which developed Pegasus software to penetrate mobile devices.
[Read more: AOC, Clinton mock private email server critics after Kushner chat app revelations]
NSO said its technology is licensed only to government agencies fighting crime and terrorism after a “rigorous” vetting process and not deployed by the company itself. The firm has no role in selecting potential targets for its spyware or installing it, a spokesperson said.
“Intelligence and law enforcement determine how to use the technology to support their public safety missions,” the spokesperson added. “We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”
Pegasus has nonetheless been used to target the phones of more than two dozen civilians, including a Mexican investigative journalist who exposed presidential corruption and research scientists and health advocates supporting a tax on sugary beverages, according to Citizen Lab, a group based at the University of Toronto that studies technology, security, and human rights issues. Citizen Lab didn’t immediately respond to a request for further information.
Amnesty International, which has also criticized NSO Group, is supporting legal action against the Israeli Ministry of Defense seeking to force the agency to revoke licenses that let the company sell its software outside the country.
NSO Group “sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics,” said Danna Ingleton, deputy director of the organization’s Amnesty Tech division. “As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”
