On the 24th November 2021, the Alibaba Cloud Security team privately notified Apache about a new vulnerability in a very popular Java programming language library called Log4j. The vulnerability became public knowledge on the 9th December 2021 and officially published in CVE databases during the 11th & 12th December 2021.
Industrial communications at risk of cyber-attacks
There are 3 million companies using the WhatsApp Business app across the globe, and 1.5 billion individuals using the original WhatsApp app for a mixture of business and personal use [1]. Its ease of use combined with its advertised end-to end encryption and the fact that it is a subsidiary of Facebook mean that people trust it for their daily communication.
Unfortunately, an exploit was found in WhatsApp which led to a cyber-attack on a UK-based attorney on the 12th May 2019 [2]. The vulnerability allows malicious code to be deployed on the receiving device, which could lead to further exploitation, in this case spyware which allows read-write access to the device. The vulnerability was patched, and updates released on various mobile operating systems by Monday 14th May 2019. Always ensure that you regularly check updates to your mobile applications.
While WhatsApp is probably not being used for operational communication within Advanced Manufacturing & Critical Infrastructure, the culture of Bring Your Own Device (BYOD) is increasing. These devices may be used for a mixture of personal and business communications, which in some cases may lead to a conflict with GDPR [3]. They may or may not be connected to the business Wi-Fi, which in may mean that vulnerabilities and exploitations are present within the corporate networks. We urge organisations, especially those who use highly connected devices, such as automation devices, to look at their cyber-threat risks, and to mitigate them – not necessarily by banning devices, but by ensuring adequate education of staff and contractors.
Another option, of course, may be to avoid the use of WhatsApp within business altogether, perhaps using well-supported secure communications software such as Novastone [4], who are our fellows of the first cohort of the Tech Nation Cyber programme [5], or by promoting the use of an alternative secure communications system such as the open-source Signal [6]. Whichever communication technology is used, risks must always be considered, especially attempting to mitigate unknown-unknown vulnerabilities.
At Awen Collective we have developed our Dot software to specifically look for devices on an operational network within industrial control networks or building control networks. We use specially developed safety-critical techniques to automatically discover devices on the network, and assess their vulnerabilities. Find out more about Dot and contact us today.
Sources & Links – all last accessed 16th May 2019
[1] https://99firms.com/blog/whatsapp-statistics/
[2] https://www.cityam.com/277567/whatsapp-hack-tech-giant-urges-15bn-users-update-app-after
[3] https://www.thebci.org/news/are-whatsapp-and-gdpr-on-a-collision-course.html
[4] https://www.novastonemedia.com/
[5] https://technation.io/programmes/cyber-security/
[7] Official CVE from Facebook/WhatsApp: https://www.facebook.com/security/advisories/cve-2019-3568