The document discusses security flaws in WhatsApp related to a lack of encryption of communications, metadata exposure, and discusses ways to add a new layer of security and privacy to WhatsApp messages by routing traffic through a custom server using encryption to protect the integrity and confidentiality of messages. It provides information on how WhatsApp's customized XMPP protocol works and how authentication is handled.
3. Defeating WhatsApp’s Lack of Privacy
WHO
WE
ARE
Jaime Sánchez
- Computer Engineer & Security Researcher
- Executive MBA, CISSP, CISA and CISM
- Speaker at Rootedcon, Nuit du Hack, BH Arsenal,
Defcon, DerbyCon, NoConName, DeepSec etc.
- Twitter: @segofensiva
- http://www.seguridadofensiva.com
!
!
Pablo San Emeterio
- Computer Engineer / I+D Optenet
- Master of Science in Computer Security by UPM,
CISA and CISM
- Speaker at NoConName and CiberSeg
- Previous experience with WhatsApp :)
- Twitter: @psaneme
Black Hat Sao Paulo
5. Defeating WhatsApp’s Lack of Privacy
¿
WHAT
IS
WHATSAPP
?
- WhatsApp is a cross-platform (no desktop clients)
instant messaging subscription ser vice for
smartphones, that let users send messages and
multimedia files to each other.
!
- Because it uses your internet data plan and there's
no additional cost for these messages, it's mostly used
young people.
!
- Was founded in 2009 by American Brian Acton
and Ukrainian Jan Koum (also the CEO), both former
employees of Yahoo!, and is based in Santa Clara,
California.
!
- WhatsApp might not be as widely known as Twitter,
but it is definitely just as popular in terms of users.
Black Hat Sao Paulo
NoConName 2013
6. Defeating WhatsApp’s Lack of Privacy
USERS
STATS
It’s interesting to compare that stat to Twitter, which has 230 million active monthly users, and to Instagram, which has 150
million on its platform.
Black Hat Sao Paulo
NoConName 2013
8. Defeating WhatsApp’s Lack of Privacy
Just how much is 10
billion messages?
416,666,670 messages an hour
6,944,440 messages a minute
115,704 messages a second
- WhatsApp has done to SMS on mobile phones what Skype did to
international calling on landlines!
Black Hat Sao Paulo
NoConName 2013
9. Defeating WhatsApp’s Lack of Privacy
NEW
ARCHITECTURE
Hardware Specs
- Dual octo-core E5-2690 (32 logical CPUs)
- 256GB RAM (128GB for A/V hosts)
- 6 x 800GB SSD (4TB SATA for A/V hosts)
- 2 x dual link-agg gig-E (public, private)
!
New features
- Resumable uploads and downloads
- Reference counting
Peak Scalability
- 214M images in a day
- 8.8K images/sec downloaded
- 29 Gb/sec output bandwidth
!
Holiday Week
Black Hat Sao Paulo
NoConName 2013
10. Defeating WhatsApp’s Lack of Privacy
SECURITY
FLAWS
- WhatsApp communications were not encrypted, and data was sent and received
in plaintext, meaning messages to easily be read if packet traces are available
(WhatsApp Sniffer)
!
- WhatsApp began using IMEI numbers and MAC addresses as passwords.
!
- Remote storage of virus, programs, html etc. on WhatsApp servers
!
- Critical flaw lead to control any account (modify account, send and receive
messages etc.)
!
- Data stored in plaintext on database
!
- An unknown hacker published a website (WhatsAppStatus.net) that made it
possible to change the status of an arbitrary WhatsApp user, as long as the phone
number was known. (To make it work, it only required a restart of the app)
Black Hat Sao Paulo
NoConName 2013
11. Defeating WhatsApp’s Lack of Privacy
MORE
SECURITY
FLAWS
- On January 13, 2012, WhatsApp was pulled from the iOS App Store, and the
reason was not disclosed. The app was added back to the App Store four days later
!
- Priyanka appeared spreading on Whatsapp through a contacts file that if you add
to your contacts.
!
- WhatsApp Voyeur: allows you to view the profile picture and current "Status" of
every user without using a mobile phone or registered account
!
- No authorization required to send messages, so any user can contact you or any
custom designed bot could be created to send you spam.
!
- Serious WhatsApp flaw allows decrypting user messages
!
!
!
- This is what we know so far ...
Black Hat Sao Paulo
NoConName 2013
12. Defeating WhatsApp’s Lack of Privacy
BLOCKING
- Saudi Arabia plans to block Internet-based
communication tool WhatsApp within weeks if the
U.S.-based firm fails to comply with requirements set
by the kingdom's telecom regulator, local newspapers
reported this week.
!
- This month the Communications and Information
Technology Commission (CITC) banned Viber,
another such tool, which like WhatsApp is hard for the
state to monitor and deprives telecom companies of
revenue from international calls and texts.
http://www.reuters.com/article/2013/06/16/ussaudi-internet-idUSBRE95F04R20130616
!
- The regulator issued a directive saying tools such as
Viber, WhatsApp and Skype broke local laws,
without specifying how.
Black Hat Sao Paulo
NoConName 2013
13. Defeating WhatsApp’s Lack of Privacy
SURVEILLANCE
- Repor ts and documents leaked by Edward
Snowden in June 2013 indicate that PRISM is used
for monitoring communications and other stored
information.
!
- The data that the NSA is supposedly able to get by
PRISM includes email, video, voice chat, photos, IP
addresses, login notifications, file transfer and details
about social networking profiles.
!
- Internet companies such as Microsoft, Google,
Yahoo, Dropbox, Apple and Facebook are inside
the program.
!
- The objectives of the PRISM program are those
citizens living outside the United States, but U.S.
citizens are included too.
Black Hat Sao Paulo
NoConName 2013
14. Defeating WhatsApp’s Lack of Privacy
¿ Could WhatsApp be one of these companies ?
The NSA infected more than 50,000 computers worldwide
with malicious software designed to steal confidential
information. Some countries affected are Venezuela, Bolivia,
Brazil, Ecuador, Cuba, Colombia and Honduras, among others.
The attacks are performed by a special department called
Tailored Access Operations (TAO), which has more than a
thousand hackers.
Black Hat Sao Paulo
NoConName 2013
16. Defeating WhatsApp’s Lack of Privacy
GOALS
- The main objective of the research is to add a new layer of security and privacy to
ensure that in the exchange of messages between members of a conversation both the
integrity and confidentiality could not be affected by an external attacker:
- Add secure encryption to the client. If
an attacker intercepts the messages, or any
governments try to intercept our messages
at WhatsApp's server , they won't find any
legible information.
- Give a certain level of anonymity to the
conversation by using fake/anonymous
accounts and intermediate communication
nodes.
- Modify the inner workings of the
application, routing all tr affic and
conversation messages to own server
(XMPP).
Black Hat Sao Paulo
NoConName 2013
17. Defeating WhatsApp’s Lack of Privacy
GOALS
- This technique has been developed to be used in a manner completely transparent to
the users.
!
- The software works for all WhatsApp’s platforms: we have developed a Linux-based
solution (it works inside a Raspberry Pi, your laptop computer or you could use a VPN).
!
- Could be ported to run inside Android.
Black Hat Sao Paulo
NoConName 2013
18. Defeating WhatsApp’s Lack of Privacy
INSIDE
THE
WORLD
OF
WHATSAPP
Black Hat Sao Paulo
NoConName 2013
19. Defeating WhatsApp’s Lack of Privacy
FUNXMPP
- WhatsApp uses a customized version of the open standard eXtensible Messaging
and Presence Platform (XMPP), called FunXMPP, that uses XML as its syntax..
!
- Without going into technical details, it is a messaging protocol that uses XML syntax:
!
<message from=”01234567890@s.whatsapp.net”
id=”1339831077-7”
type=”chat”
timestamp=”1339848755”>
<notify xmlns=”urn:xmpp:whatsapp”
name=”NcN” />
<request xmlns=”urn:xmpp:receipts” />
<body>Hello</body>
</message>
!
- Since WhatsApp is intended for mobile devices, they wanted to use as little
overhead as possible.
!
- ¿ How did they achieve this ?
Black Hat Sao Paulo
NoConName 2013
20. Defeating WhatsApp’s Lack of Privacy
FUNXMPP
- First of all, all keywords are assigned a byte each. If you can replace each by just one
byte, it would reduce the overhead a lot.
!
- FunXMPP uses a HashTable for this, containing most (if not all) keywords
!
- Given the syntax xnn for one byte with the hexadecimal value nn, the example
above could be reduced to the following:
!
!
<x5d x38=”01234567890@x8a”
x43=”1339831077-7”
xa2=”x1b”
x9d=”1339848755”>
<x65 xbd=”xae”
x61=”NcN” />
<x83 xbd=”xad” />
<x16>Hello</x16>
</x5d>
- All remaining ascii values cannot be replaced by a representative byte-value,
because they are variable/no fixed keywords.
Black Hat Sao Paulo
NoConName 2013
21. Defeating WhatsApp’s Lack of Privacy
BYTES
- Byte xfc: This byte signifies a sequence of ascii characters will be used as the value.
The length of this sequence can be found in the next byte (max length 255).
- Byte xfd: Where xfc reads one byte for the length,xfd reads three bytes. This
allows for strings up to a max of 16777215 characters.
- Byte xf8 y xf9: Declare the beginning of a list and it is followed by its number of
elements and subsequently the content,.
The way members are counted is:
!
1 2 3
<message from=”01234567890@s.whatsapp.net”
4 5
id=”1339831077-7”
6 7
type=”chat”
8 9
timestamp=”1339848755”>
<notify xmlns=”urn:xmpp:whatsapp” |
name=”NcN” /> | 10
<request xmlns=”urn:xmpp:receipts” /> |
<body>Hello</body> |
</message>
Black Hat Sao Paulo
NoConName 2013
23. Defeating WhatsApp’s Lack of Privacy
LOGGING
IN
ON
A
NEW
DEVICE
1) WhatsApp will send the user’s phone number to servers, through HTTPS,
requesting an authentication code
2) The mobile phone receives, through text message, the authentication code
3) This authentication code is sent and compared, and if matches, WhatsApp
obtains the password
!
- To log in, the client uses a custom SASL mechanism, called WAUTH-1. First, the
client sends:
!
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" user="XXXXXXXXXXXX"
mechanism="WAUTH-1" />
- Server will answer with a challenge:
!
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">YYYYYYYYYYYYYYYYYYYY
</challenge>
- To respond the challenge, the client will generate a key using PKBDF2 with user’s
password, challenge as salt and SHA1 as hash function. Only 20 bytes from result will
be used as key <phone number> || <20 bytes> || UNIX timestamp:
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">ZZZZZZZZZZZZZ</response>
Black Hat Sao Paulo
NoConName 2013
24. Defeating WhatsApp’s Lack of Privacy
ARE
MY
MESSAGES
SECURE
?
- RC4, the most widely used software stream cipher and is used in popular protocols
such as Transport Layer Security (TLS) and WEP, was designed by Ron Rivest of RSA
Security in 1987
!
- RC4 has two stages - a KSA, that initializes the state table to be a "random"
permutation based on the key, and the PRGA, which actually returns a random byte.
¿ Where is the problem ?
Black Hat Sao Paulo
NoConName 2013
25. Defeating WhatsApp’s Lack of Privacy
From the creators of:
- Don't run with scissors
- Don't run near the pool
- Don't run near the pool while carrying scissors
!
!
Now comes:
DON’T re-use the same RC4 keystream to
encrypt two different messages
Black Hat Sao Paulo
NoConName 2013
26. Defeating WhatsApp’s Lack of Privacy
EVERY
TIME
ALICE
ENCRYPTS
A
MESSAGE ,
GOD
KILLS
A
KITTEN
...
Suppose Alice wants to send encryptions of m1 and m2 to Bob
over a public channel. Alice and Bob have a shared key k; however,
both messages are the same length as the key k. Since Alice is
extraordinary lazy (and doesn't know about stream ciphers), she
decides to just reuse the key.
!
Alice sends ciphertexts c1 = m1 ⊕ k and c2 = m2 ⊕ k to Bob
through a public channel. Unfortunately, Eve intercepts both of
these ciphertexts and calculates c1 ⊕ c2= m1 ⊕ m2.
c1 = m1 ⊕ k
c2 = m2 ⊕ k
m1 = c1 ⊕ k
m2 = c2 ⊕ k
REUSED KEY ATTACK
c1 ⊕ c2 = m1 ⊕ m2
Black Hat Sao Paulo
NoConName 2013
27. Defeating WhatsApp’s Lack of Privacy
ATTACKING
WHATSAPP’S
ENCRYPTION
- From here, the task becomes separating the two plaintexts from one another
(plaintext attack or Crib-Dragging), following the steps bellow:
1) Guess a word that might appear in one of the messages
2) Encode the word from step 1 to a hex string
3) XOR the two cipher-text messages
4) XOR the hex string from step 2 at each position of the XOR of the two
cipher-texts (from step 3)
5) When the result from step 4 is readable text, we guess the English word and
expand our crib search.
6) If the result is not readable text, we try an XOR of the crib word at the next
position.
!
- To do this, we have to do a little guessing about the
plaintexts themselves.
!
- The idea is to use a Frecuency Analysis based on
the original language used in the plaintext.
Black Hat Sao Paulo
NoConName 2013
29. Defeating WhatsApp’s Lack of Privacy
"WhatsApp takes security seriously and is continually thinking of ways
to improve our product. While we appreciate feedback, we're concerned
that the blogger's story describes a scenario that is more theoretical in
nature. Also stating that all conversations should be considered
compromised is inaccurate" the company said.
Official response to https://blog.thijsalkema.de/blog/2013/10/08/piercing-through-whatsapp-s-encryption/
WTF!
Black Hat Sao Paulo
NoConName 2013
34. Defeating WhatsApp’s Lack of Privacy
INTERCEPT
MESSAGES
- We have verified that the encryption used to
protect the information and privacy of our
conversations is easy to break.
!
- ¿What can we do? We will intercept WhatsApp's
message before you leaving the mobile phone. We'll
decipher the original message with our key and we
will apply a new cipher and then encrypt it with the
original algorithm and key, not breaking the
application.
!
- From now on, we’ll be working this way:
REAL-TIME
MODIFICATION
Black Hat Sao Paulo
NoConName 2013
35. Defeating WhatsApp’s Lack of Privacy
CHALLENGE
AND
iOS
- In iOS version we’ll use a little trick to get the challenge. Instead of exchanging it during the login, WhatsApp sends the challenge for the next session while connected.
!
- We’ll flip some random bytes, forcing WhatsApp to negotiate it again:
- The result for the log in of the second mobile is the same:
Black Hat Sao Paulo
NoConName 2013
36. Defeating WhatsApp’s Lack of Privacy
SENDING
MESSAGES
- The message is sent from the client. Our program detects it, and using the RC4 session key used
by WhatsApp, decrypts the message and extracts text. Once the text is clear, encrypts it with our
algorithm and key, and re-wrap it in the original format with RC4 encryption it again, not breaking
the operation of WhatsApp:
- You can see how our program has decoded the original message: Bello
!
- HMAC is deleted in the decoded message and we calculate it again before sending. Finally, the
message will leave our mobile phone. We can see that the new message is different from the
original because is has a layer encryption implemented by us:
HMAC
Black Hat Sao Paulo
NoConName 2013
37. Defeating WhatsApp’s Lack of Privacy
RECEIVING
MESSAGES
- In the screenshot you can see how we received an normal WhatsApp message, but it’s really
special. When we use the RC4 key to decrypt the text inside, we find is completely unreadable.
- Using the same private key and algorithm, our program will decrypt the message text and
reassemble the original text, so WhatsApp will be able to process it.
!
!
- The final message can be read as usually by the user, and it’s the same as the first one:
Black Hat Sao Paulo
NoConName 2013
41. Defeating WhatsApp’s Lack of Privacy
HIDING
OUR
MESSAGES
- The above method allows us to encrypt our messages,
so other attackers capable of intercepting our traffic will
not be able to get the contents of messages.
!
- But, ¿ what if we want the traffic to directly bypass
the WhatsApp's server ?
EXTERNAL XMPP SERVER
Black Hat Sao Paulo
NoConName 2013
42. Defeating WhatsApp’s Lack of Privacy
USING
AN
EXTERNAL
XMPP
SERVER
- We analyze the outgoing message and decrypt it using the RC4 key.
!
- Then, we extract the original text and send it to our external XMPP server:
<destination number>¿<message_id>¿<original text>
- The program will replace every character in the original text with our wildcard character, so the
original message will never pass through WhatsApp's servers (this step is necessary or destination
will reject our messages)
!
- Recipient receives our message full of wildcard characters, querys our XMPP server and
replaces the wildcard characters with the original text.
Black Hat Sao Paulo
NoConName 2013