Following widespread criticism of Nick Clegg’s suggestion that end-to-end encrypted messages could not be hacked, please find the comments below from security experts
Derek believes companies such as Facebook risk opening the door to hackers by neglecting software hygiene. Clegg’s lack of understanding of the problem is typical of board-level ignorance of application security, and the need for multiple layers of application security practices to ensure that consumers are protected from cyber-attacks.
"We're as sure as you can be that the technology of end-to-end encryption cannot be hacked into" – Facebook's @nick_clegg says he's "very, very confident" that Jeff Bezos wasn't hacked via Whatsapp #r4Today | @MishalHusain | https://t.co/NHsmYG4H4W pic.twitter.com/E4Cf4h1Viu
— BBC Radio 4 Today (@BBCr4today) January 24, 2020
Nick Clegg’s assertion that Jeff Bezos could not have been hacked via WhatsApp because of its end-to-end encrypted messages shows a lack of knowledge about both security and how modern applications are developed. While end-to-end encrypted apps such as WhatsApp may profess to offer “security by default,” apps are only as secure as the software they’re built on.
Without proper software hygiene, companies risk building known vulnerabilities into their applications, which hackers are quickly able to exploit – as WhatsApp found out in 2019 with the “double-free” vulnerability. This incident demonstrated why “end-to-end encryption,” and traditional security measures, don’t automatically equate to secure by default. Until WhatsApp starts recognising that end-to-end encryption alone is not enough – and that true application security requires multiple layers of application security practices – it leaves consumers vulnerable to cyber-attacks.