NOTICE on Dec 18th, 2012, 02:38PM: Given the recent popularity of this article, I just want to advise readers that it is almost three months old and in the meantime, things could have changed significantly. My current knowledge of the situation is limited, but if you have any questions, ask and/or follow me on Twitter.
This post was updated on Sep 30st, 2012, 01:05 PM. The WhatsAPI source code is back online. See section “Authentification”.
WhatsApp’s 20 million users send some 1 billion messages per day, and nothing protects them from being impersonated, spied on, and thus from mean jokes, even fraud, tragedy, tragedy!
Let’s not be pathetic. Although some of you might think in standard “I have nothing to hide” schemes, you should really consider reading on and learning about why it’s quite a shame the app is still not secure and why this should be reason enough to dump it and install one of the countless alternatives. But let’s start with a short recap of what has happened in the past months.
Back in 2011, WhatsApp messages were not encrypted at all. That means an attacker could sit in a – insert any popular coffee chain with free wifi here – and run some fun apps that listen to the wifi’s traffic and filter out WhatsApp data. Everything sent over the same wifi was essentially readable by any device, also if the wifi itself was password protected and thus used encryption. Among others, there was even an Android app out in the wild, doing that sniffing for everybody, and it required no technical skills whatsoever.
What does that mean for all the innocent, uninformed WhatsApp users connected to the same wifi? Well, if they were that careless to send bank account details, personal addresses and what-do-I-know over WhatsApp, it would have been a feast for an attacker. The only thing to protect yourself was to avoid wifi at all.
Unfortunately the company behind WhatsApp, WhatsApp Inc, did not inform anybody through their official channels, and users were left alone with hearing the bad news from the media. And, because it was only featured in tech articles, most of the users did probably not even pay attention to that discovery.
One of the side effects of this vulnerability and others was that in January of this year, some guy was able to set up a website that allowed an attacker to randomly change the status message of a victim – the only thing he/she had to know in order to do this was the victim’s phone number. This post gives a good overview of how he was able to exploit the weakness, in case you are interested. Basically the WhatsApp server did not check from where the status change request was coming and allowed everything to pass through.
Anyway, did WhatsApp Inc solve this problem? Well, they just banned the website’s IP address from accessing their servers, but the app was still vulnerable to the same attack until a few months later.
Then, after quite a long time of being inactive, the company silently released an update that appeared to encrypt the data, making it unreadable for prying eyes. Now let’s melt that in one’s mouth: Silently. No notification in any changelog, no official statement, nothing. The only thing people discovered was the following FAQ post:
If you are using the latest version of WhatsApp your messages are encrypted.
We do not store your chat history on our servers. All chat messages are considered private and are only stored until they are delivered.
Even though data sent through our app is encrypted, remember that if your phone or your friend’s phone is being used by someone else, it may be possible for them to read your WhatsApp messages. Please be aware of who has physical access to your phone.
WhatsApp Support Staff
Well, that was about two months ago, right? Turns out this is just a lie. Another clever guy recently reverse engineered the app and found that the cryptography is just applied to the data, but not to the cryptographic key. The latter is just being hidden. Which renders the encryption of data pretty useless and significantly lowers the hurdle for a potential attacker. This is also called Security Through Obscurity and it is usually done when developers either lack the knowledge of proper security or security is just not given priority. For a company that develops an app used by millions of people, I say the latter is more probable.
Now it’s end of September 2012, and the already long list of security vulnerabilities continues to grow.
Over two weeks ago, a guy called Sam Granger “discovered” that WhatsApp is using IMEIs as passwords. I will shortly explain what is meant with IMEI. So it turned out that WhatsApp uses the phone number as username and the IMEI number as password when authenticating to its servers, e.g. when attempting to send a message from a user account. If you know both of them you are basically able to gain full privileges over an account, which means: Sending messages and reading incoming ones.
Now what is an IMEI? Basically it’s just the identification number of a particular device, but that does not really matter. What matters is that it is really easy to find out. On an Android device, just dial *#06# and you’ll get it displayed. See how easy it is for an attacker to get to that IMEI? If he/she (could also be a she, who said bad guys are always male?) has physical access to the device, it’s a matter of seconds.
But it gets even better. It turned out that on iOS devices, WhatsApp uses the MAC address as the password. Why is that even worse? Because it is actually quite easy to get to an iOS device’s MAC address, even without physical access. Everybody who knows how to use a cute little network sniffer program can find out all the MAC addresses connected to a particular network, for example a public wifi. Or if you run a wifi at home, it is often enough to just look into the logs of your router and you’ll see the connected devices.
Let’s come back to Sam Granger. I put “discovered” in quotes for a purpose. It was not exactly him who discovered the leak, it was the guys who actually decoded the whole WhatsApp communication protocol in order to be able to build apps for other platforms than those that are currently supported. Can you still follow?
Users of the quite popular Nokia N900 (which uses an open source Linux operating system) and the newer N9 have been desperately waiting for a WhatsApp version to come out – yet the WhatsApp team has never released one. So, clever guys started to look into the protocol WhatsApp is using to communicate between servers and devices, and rebuilt it from scratch. And they did a pretty good job.
Under the name WhatsAPI they released a toolkit for developers who want to rebuild WhatsApp client applications for other platforms than the ones currently supported. And of course, by using this source code and knowing somebody’s phone number and IMEI/MAC address, it is pretty easy to actually impersonate that somebody and send/receive messages in his or her name.
After the leak was published, did WhatsApp Inc inform its users? You already know the answer. Not surprisingly, WhatsAPI stopped to work for a couple of days, but then some of the developers found the issue and fixed it, so as of today, the weakness is still exploitable.
And here we are, end of September, and history repeats itself. Another guy had the brilliant idea to upload the WhatsAPI code to a public website, so everybody, i.e. people without any programming knowledge, can exploit the vulnerability. Remember: Just grab your friend’s or foe’s Android phone, type in *#06#, and you are able to spam & bullshit other people in his/her name, using the above website. Or, if your desired target is using an iPhone, either access the MAC address by going to the Settings and looking it up manually, or lure it into your personal wifi to record its address.
So now, there is quite a big media outcry (again, mostly media focusing on technology), just because somebody made accessible to everyone what has been known for almost a month.
But did WhatsApp Inc react and fix the issue? You already know the answer. More than that, they allegedly do not even respond to the hackers who reported the security vulnerabilities, let alone inform the users through their official blog. The last entry there is over 3 months old and hey, who cares whether they do or not do show ads when the guy sitting next to you can access all your messages and even send some in your name?
Apparently, they did one thing. They threatened the developers of WhatsAPI with legal action. Remember, the guys who only wanted to make the communication protocol understandable, so developers could extend the user base of the application?
So the developers of WhatsAPI removed the code from their github repository. But don’t despair, you can still try and replicate what the guy of http://whatsapp.filshmedia.net did.
There is still a copy of the code available, and I just made sure it still works.
Update: Yesterday, the venomous0x team put the WhatsAPI back online. The changelog merely says:
Development to be resumed, let’s pretend that nothing was happened.venomous0x
And a little research done by myself indicates that the security issue is still exploitable.
So back to WhatsAPI: It is a mere script that can be either executed on a web server like above, or from the command line using the PHP interpreter. An attacker can just enter the victim’s IMEI and phone number at the appropriate place in the code and then start listening to incoming messages. Trust me, it is not rocket science!
Non-existing encryption in 2011, security through obscurity in 2012, and now a very bad authentification mechanism? You see, WhatsApp was, is, and will probably stay pretty damn insecure. If you don’t care about that stuff and think nobody is mean enough to actually exploit it, that is fine, just make sure you don’t send anything too stupid over the aether. In my opinion, the fact that there is a security vulnerability is not even the worse. I am just quite startled by the way WhatsApp Inc deals with the problem. They do not inform, they do not fix, and they try to solve the problem by sueing developers who did something for the greater good (probably for the greater good of the company as well). And the fact that the reported security issues could actually be solved quite easily does not make it better. Cmon, how many people work at WhatsApp Inc? Two?
I mean, this app has over 20 million users! Yes it is free but that does not excuse for these major security flaws. As a user you usually expect something that is installed on so many phones to work as secure as possible.
Now last but not least – of course I use the app too, that’s why I am particularly concerned. People will say, “well, then just remove it from your phone”, but it’s the same issue as with Facebook. When everybody uses a particular app or service it’s quite hard to opt-out and not to lose track of what’s going on. Still, I have to say that I am not very amused by what’s happening and looking at alternatives right now. If I find some good stuff I will let you know – I am sure somebody has made a great chat/communication client without those flaws. If you know of anything, post it in the comments!