WhatsApp has added some new security elements, including a new way to hide your IP address when using the app, and a mitigation process to stop cyber attacks via audio calls, which can be effective even if you don’t answer them.
Yes, cyber attackers can glean information from your device via a call that you ignore.
First off, on IP masking. When you make calls via WhatsApp, encryption protects your data and personal info, but it does use internet connection, which could be another identifying element.
As explained by WhatsApp:
“Most calling products people use today have peer-to-peer connections between participants. This direct connection allows for faster data transfers and better call quality, but it also means that participants need to know each other’s IP addresses so that call data packets can be delivered to the correct device – meaning that the IP addresses are visible to both callers on a 1:1 call. IP addresses may contain information that some of our most privacy-conscious users are mindful of, such as broad geographical location or internet provider.”
So while the information shared is not broadly identifying, it can be problematic in some use cases.
To solve for this, WhatsApp has developed a new process that re-routes your call through WhatsApp’s servers, so that other parties in a call can’t see your IP address.
“This provides an additional layer of privacy and security particularly geared towards our most privacy-conscious users. As always, your calls are end-to-end encrypted, so even if a call is relayed through WhatsApp servers, WhatsApp cannot listen to your calls.”
It’s an additional layer of security, which could be very appealing to people in vulnerable situations.
Interestingly, X is also experimenting with a similar approach for its new audio calling option.
WhatsApp has also added a new way to address calling-based cyber attacks, which as noted, can be effective, even if you don’t answer.
WhatsApp says that calling software used by attackers automatically processes incoming packets from callers in order to optimize call setup and improve performance.
“This means calling vulnerabilities can often lead to “zero-click” attacks; the victim may not need to even accept the call for the attack to succeed.”
So, essentially, there’s a level of information communicated in the calling process, and that, in itself, can be a security issue in certain cases.
In order to address this, WhatsApp has developed a new approach, which uses “privacy tokens” to determine the level of trust in each caller.
“Each client locally decides which other user it trusts and distributes tokens to them. When a call is placed, the caller includes the privacy token of the recipient in the protocol message. Next, the server checks the token’s validity along with a few other factors to determine if the intended recipient allows this sender to ring them. Crucially, for our user’s privacy, the server does not learn anything about the exact relationship between the caller and the recipient from the token.”
So it’s a system that’s able to better identify and filter callers, in order to help WhatsApp users avoid scams and spammers, by reducing their related attack vectors.
These are good updates, which will help provide more assurance that your WhatsApp interactions will remain private. Which is the key selling point for the app, for most users, and as such, it’s important for WhatsApp to continue to reinforce this element with its updates.
You can read more about the latest WhatsApp security updates here.