Here is the simple sad truth, if the Zimbabwean government or any other government for that matter wants to hack into your WhatsApp, they can probably do so at the literal click of the button. There are steps that you can take to make this difficult for them (state actors) but using a foreign number to register/verify your WhatsApp as suggested by Jonathan Moyo is not going to stop them. Below we will examine some of the ways that the government can use to break into your WhatsApp.
We are law abiding citizens. We strongly urge our readers to always abide by the law of the place they live in. Nothing in the foregoing should be taken to mean that we want you to break the law. We are just going to point out ways you can use to protect your privacy.
Proven ways to break into WhatsApp
There are several ways that a WhatsApp account can be “hacked” here are some of them:
- Intercepting communications at the ISP (possible but extremely hard)
- Joining your secret group
- SIM replacement/ or SMS/call hijacking
- WhatsApp Web
- NSO kit
- Zero day attacks, NSO uses these but there are other uknown groups that might be using the same/other undiscovered zero days
This is by no means an exhaustive list but let us examine each method in turn.
Intercepting your WhatsApp messages at the ISP level
Governments have leverage over the ISPs that operate within their borders and rightly so. Last year the government was able to force ISPs such as ZOL, NetOne, Econet, Telecel, TelOne and Telecel to shut down the internet during the so-called January protests. It is, therefore, safe to assume that they can order your ISP to intercept your WhatsApp messages.
This is not easy to do.WhatsApp now uses secure protocols to communicate and yes they do use a technology known as end to end encryption. This simply means that the messages are encrypted (scrambled on both ends). In theory, this should make your messages near impossible to intercept. In reality, it all depends on how WhatsApp actually implements these protocols. All the government needs to successfully pretend to be WhatsApp is access to a compromised certification authority. A certification authority is an organisation that issues SSL certificates, an SSL certificate is like an ID document that computers use to prove who they are. Zimbabwe doesn’t have direct access to a certification authority but China had one and they successfully intercepted secure messages.
It is very very hard for the Zimbabwean government to gain access into your WhatsApp messages this way. You can thwart this sort of attack by using secure VPN protocols when using WhatsApp. Ordinary users can just use WhatsApp normally as there is very little risk of you being hacked this way. It’s simply too complicated an attack to execute and the government would probably never bother to, that’s if they can even find someone with the skills.
Joining your secret
This is the easiest and probably the most used method. All it involves is a state agent/informant infiltrating your secret group. They can accomplish this by either using a publicly/easily accessible link or by social engineering (computer speak for tricking you) their way in by having the group administrator add them. This method is very cheap and easy to accomplish. It is also very hard to thwart especially in large groups where people don’t know everyone. This is not technically a hack but it counts as it gets the job done. The state can listen to your conversations.
What can you do? Avoid posting private messages in groups and vet people before they join although as pointed out earlier this may be impossible to do. Use separate numbers for personal and business.
SIM replacement/ or SMS/call hijacking
This is probably what Jonathan Moyo was referring to when he made his warning on social media. For all it’s security WhatsApp still uses a phone number when one signs up for the service. The app uses an SMS or call to this number to verify that you own the number you are using to sign up. This is a simple way to verify ownership. If you don’t own the number you won’t receive the special SMS (OTP) that allows you to register.
The problem is governments are not people. Like with ISPs they do have control over Mobile Network Operators. They can obtain a warrant that will allow them to intercept your SMS messages at your network mobile operator’s servers. The SMS protocol is inherently insecure. This will allow them to claim to be you and register a WhatsApp account in your name.
This is, however, a short-term thing as it’s not very clandestine. WhatsApp only allows you to access your WhatsApp account from only one device (not counting WhatsApp web). If the government were to do this you would notice that they have done so as soon as you open the app on your phone but if you don’t check your phone that regularly then it might be some time before you notice. In the meantime, the government can use your account to talk to your contacts and pretend to be you.
NB The government will not be able to read some messages due to end to end encryption. You would have noticed that when you reinstall WhatsApp there are some messages that say Waiting for this message blah blah. It’s because those messages were encrypted using your old encryption key, to which you no longer have access. Even you won’t be able to recover those messages.
There is very little you can do to thwart this except using a foreign number to which the government has no control. Apps such as TalkU sell US and UK numbers for about US$3 per year.
Using WhatsApp web
On the off-chance that you don’t know what WhatsApp web is, it’s a service that allows you to use WhatsApp from your browser. Your visit https://web.whatsapp.com and then you follow the steps there to link your WhatsApp account to your browser. You can then access messages and send messages from your browser. For this to happen someone needs physical access to your phone and link it to their computer.
Sadly, the phone and browser need not be on the same network (have the same IP address) for the person to be able to see your messages. If you don’t pay attention someone can lurk in your WhatsApp for months. This “hack” is easy to spot though. WhatsApp gives you a large notification that shows your WhatsApp is being accessed using WhatsApp web. That might still not be enough if like me you also use WhatsApp web.
You need to go to WhatsApp web settings on your phone to make sure that only your authorised devices are accessing WhatsApp Web. You can do this by tapping on the three dots on the top left corner of WhatsApp and selecting WhatsApp web. Also, pay close attention and see if messages are being marked as read when you haven’t read them. Fortunately, there is no mark as an unread button on WhatsApp that would allow a stalker to cover their tracks.
NSO kit (Pegasus) hack method
Of all the methods mentioned above, this is the hardest to detect and difficult to fend off. How difficult? Well here is a story (also detailed in the embedded video below). Sometime in 2018, the future king of Saudi Arabia, an oil-rich country in the Middle East, sent a WhatsApp message to Jeff Bezos the CEO of technology giant Amazon. This was a special video message. Bezos opened the message but nothing played. Unbeknown to him malware had been surreptitiously installed on his phone and data including messages, images etc was siphoned from his phone. The hack cost him his marriage. He was only aware after the fact when tabloids started publishing his private information and photos.
How did this happen? There is an organisation called the NSO group that specialises in producing hacking software obtained by hunting for what are known as zero-day bugs in popular apps such as WhatsApp. Apps such as WhatsApp are made by combining large files of computer instructions (known as source code). The instructions are so large that mistakes are inevitable. Mistakes are fixed (patched) once there are discovered but some remain undiscovered and the NSO group takes advantage of these to create tools that allow governments to hack into people’s phones and other devices. Their job is made even easy by the fact that there may be other zero-days in other software on that phone which gives them more potential doors in.
The group and it’s Pegasus malware suite has quite the reputation and thanks to their popularity they have very wealthy customers (governments) paying them for their hacking kits. All the Zimbabwean government would need to do to hack your WhatsApp would be to send you a specially crafted message via WhatsApp and boom they are in. With some zero-days, you do not even need to open the message. In any case, they can just momentarily hijack the WhatsApp number of a friend that you trust using the method mentioned above. Who among us does not open a message send from their monther’s phone?
As already said this sort of hack is notoriously hard to detect let alone fend off. Jeff Bezos has access to a top tier tech firm and yet he fell, victim. Just follow common-sense advice such as keeping all the software on your phone up to date, installing only from trusted sources and only keeping the apps you require and use. You can also limit the damage however by making sure you use separate devices for work and privacy. Make sure you don’t keep very private files on your phone. Install a firewall on your network instead of using bundles. This allows you to see what traffic is leaving your network.
Unfortunately, the NSO suits (kits) come with so many tools that allow the government, to deploy at the click of a button, various exploits that can render most defences useless. If the government really wants to see your WhatsApp messages they will. NSO sells to most governments even repressive ones like the government of Saudi Arabia. They only require the tools to be deployed against “terrorists and criminals”. Governments have the legal right to determine who falls into either of those categories. The NSO group hails out of Israel and we have heard rumours that the Zimbabwean government sometimes contracts the Israelis on matters of national security.
Zero days have been mentioned above. Sadly it is probable there are some zero days that might have been discovered by other hack groups. There are a lot of hacker collectives known as Advanced persistent threats (APTs) out there that are willing to partner with governments for profit. For example North Korea has formidable APTs for example the notorious Lazurus group that have proven their mettle against South Korea and our country has a historical relationship with North Korea on national security. China and Russia also have APTs that probably have the skill and know how to get into WhatsApp.
General security protecting yourself
If you are a member of a vulnerable group that a government might hack you need to have the utmost vigilance when guarding your WhatsApp account. In fact as soon as you receive a document you need to put it on an air-gapped device and wipe it off your WhatsApp account. An air-gapped computer is a computer that never ever connects to the internet. Put your private photos and whatnots there.
Also, make extensive use of GPG and encryption. Adding an encryption layer outside WhatsApp to your messages makes them inaccessible when you send them as attachments. It means only those authorised to access them can do so even if they intercept them.
The truth is no-matter what Jonathan Moyo said if the government wants to read your WhatsApp messages they will if they are motivated enough. Changing phone numbers will probably not stop them. Again, if they want your WhatsApp messages they can read them or at the very least some of them.