Digital Sovereignty & Cyber Security

Dès cet été, les hauts fonctionnaires français pourront utiliser une application de messagerie sans crainte d'intrusion. L'Agence nationale de la sécurité des systèmes d'information (Anssi) a en effet confirmé ce mardi que le gouvernement devrait disposer cet été de sa propre messagerie chiffrée, plus sécurisée que les applications privées actuelles.

« Ce n'est pas une messagerie secret-défense, c'est une messagerie qui se veut fonctionnelle comme Whatsapp ou Telegram », a expliqué Guillaume Poupard, le directeur général de l'Agence. L'application Whatsapp, propriété de Facebook, est basée aux Etats-Unis, tandis que Telegram, qui a été fondée par deux Russes, les frères Durov, est officiellement enregistrée aux îles Vierges britanniques.

La nouvelle messagerie du gouvernement a été développée par un informaticien de la Direction interministérielle du numérique et du système d'information et de communication de l'Etat (DINSIC) à partir d'un code « open source ». Elle est actuellement testée par une vingtaine de hauts responsables et hauts fonctionnaires.

Des serveurs en France

Le directeur interministériel du numérique Henri Verdier avait évoqué ce projet « avec l'idée qu'il n'y a pas de fatalité à ce que les autorités utilisent des messageries pour lesquelles l'Anssi n'arrête pas de répéter qu'il n'y a pas de confiance », a noté le directeur de l'Anssi.

Par exemple, « ce serait bien que les messages échangés par les membres du gouvernement passent par des serveurs hébergés par la Dinsic plutôt que par des serveurs je ne sais trop où ».

Ce projet de « messagerie sécurisée interne à l'Etat » avait déjà été évoqué  vendredi dernier sur France Inter , par le secrétaire d'Etat au Numérique, Mounir Mahjoubi. « Nous travaillons à une messagerie sécurisée publique qui ne sera pas dépendante d'offres privées », avait-il indiqué.

Selon la porte-parole du secrétaire d'Etat chargé du numérique, cette messagerie chiffrée pourra, à terme, être mise à la disposition de tous les citoyens français.

WhatsApp has filed a suit in federal court accusing Israeli mobile surveillance maker NSO Group of creating an exploit that was used hundreds of times to hack into target’s phone.

The lawsuit, filed in a California federal court, said the mobile surveillance outfit “developed their malware in order to access messages and other communications after they were decrypted” on target devices.

The attack worked by exploiting an audio-calling vulnerability in WhatsApp. Users may  appear to get an ordinary call, but the malware would quietly infect the device with spyware, giving the attackers full access to the device.

In some cases it happened so quickly, the target’s phone may not have rung at all.

Because WhatsApp is end-to-end encrypted, it’s near-impossible to access the messages as they traverse the internet. But in recent years, governments and mobile spyware companies have begun targeting the devices where the messages were sent or received. The logic goes that if you hack the device, you can obtain its data.

That’s what WhatsApp says happened.

WhatsApp, owned by Facebook, quickly patched the vulnerability. Although blame fell fast on NSO Group, WhatsApp did not publicly accuse the company at the time — until now.

In an op-ed posted shortly after the suit was filed, WhatsApp head Will Cathcart said the messaging giant “learned that the attackers used servers and Internet-hosting services that were previously associated” with NSO Group, and that certain WhatsApp accounts used during the attacks were traced back to the company.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” said Cathcart.

The attack involved disguising the malicious code as call settings, allowing the surveillance outfit to deliver the code as if it came from WhatsApp’s signaling servers. Once the malicious calls were delivered to the target’s phone, they “injected the malicious code into the memory of the target device — even when the target did not answer the call,” the complaint read. When the code was run, it sent a request to the surveillance company’s servers, and downloaded additional malware to the target’s device.

In total, some 1,400 targeted devices were affected by the exploit, the lawsuit said.

Most people were unaffected by the WhatsApp exploit. But WhatsApp said that more than 100 human rights defenders, journalists and “other members of civil society” were targeted by the attack.

Other targets included government officials and diplomats.

In a statement, NSO Group said: “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them.”

FOR MOST OF the past six weeks, the biggest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a small office in Mountain View, California, three guys made the scope of that enormous debate look kinda small.

Mountain View is home to WhatsApp, an online messaging service now owned by tech giant Facebook, that has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.

This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.

“Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in 2009 alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.

The FBI and the Justice Department declined to comment for this story. But many inside the government and out are sure to take issue with the company’s move. In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has apparently been used to facilitate criminal acts, including the terrorist attacks on Paris last year. According to The New York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.