Time to review security of messaging applications

Most organizations don’t have a formal policy pertaining to how messaging applications are allowed to be used, but in the wake of a recent decision made by the chief administrator of the U.S. House of Representatives, they may want to reconsider.

A memo sent last week advised congressional staff that the WhatsApp messaging service has been banned from all U.S. House of Representatives devices. The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use.”

The memo doesn’t explain what lack of transparency actually means, but earlier this year a WhatsApp official said Israeli spyware company Paragon Solutions had targeted its user base, which includes many government officials. Instead, the memo recommends using other messaging apps, including Microsoft Teams, Apple FaceTime and Signals.

It’s not clear how broadly these and other applications such as Discord are being used within corporate environments, but a lot of end users are assuming there is a level of security that might not be as robust as they believe.

Potential security concerns and vulnerabilities

Spyware on a mobile phone can secretly monitor and gather information about the user's activities without their knowledge, including tracking call history, text messages, location, and browsing activity, in addition to recording both audio and video. It can be installed through malicious apps, phishing links, or by exploiting vulnerabilities in the operating system of a mobile device.

It’s even possible now to exploit built-in browser components and URL parsing mechanisms to execute remote code without requiring any user interaction beyond receiving the message, according to recent research shared by the DARKNAVY institute.

Just as troubling, it’s relatively easy for end users of these applications to inadvertently disclose sensitive data, such as the now infamous invitation to a Signal chat that was mistakenly sent to a journalist by Department of Defense (DoD) officials.

Educating business leaders about the risks

Cybersecurity teams have, of course, have been warning about the dangers of shadow IT for as long as anyone can remember. These days, however, it’s never been simpler for end users to set up group chats across any number of services, some of which are not even encrypted.

Beyond banning usage of these applications to discuss anything business-related, there doesn’t seem to be much cybersecurity leaders can do to reduce the risk these applications present. Many of the most voracious users of these applications are the senior leadership of the organization. That doesn’t mean cybersecurity teams should throw up their hands and look the other way.

Education can still be an effective tool. Cybersecurity professionals should be sure to share with business executives every time there is a major cybersecurity incident involving a messaging application. The truth is many of these conversations that are occurring on messaging applications would be a little more secure in email platforms that cybersecurity teams have invested a significant amount of time and effort securing.

Ultimately, cybersecurity professionals can only do so much to protect end users from themselves. However, the one thing they might want to make sure they are doing is leading by example. After all, many of the end users of messaging services are also cybersecurity professionals that should know better.