WhatsApp: The Bad Guys’ Secret Weapon

July 19th, 2017 by Vladimir Katalov
Category: «Clouds», «General», «Security», «Software»

WhatsApp is one of the most secure messengers with full end-to-end encryption. Messages exchanged between WhatsApp users are using an encrypted point-to-point communication protocol rendering man-in-the-middle attacks useless. WhatsApp communications are never stored or backed up on WhatsApp servers. All this makes government snooping on WhatsApp users increasingly difficult.

WhatsApp has more than a billion users. WhatsApp makes use of the Open Whisper Signal communication protocol to secure communications with end-to-end encryption. WhatsApp users rely on that security to freely exchange messages, discuss sensitive things and, with limited success, avoid religious and political oppression in certain countries. Today, some governments attempt to criminalize WhatsApp protection measures, ban end-to-end encryption and do everything in their power to undermining trust in secure communication tools. What is it all about, and how to find the right balance between public safety and security is the topic of this article.

WhatsApp: The Bad Guy’s Messenger of Choice

WhatsApp is extremely popular, easily being the number one instant messenger in the Western hemisphere. This, combined with its end-to-end encryption, make WhatsApp a popular tool among the criminals. Terrorists, scammers, extortionists and child molesters don’t hesitate using WhatsApp to lure their victims, plan and coordinate illegal activities.

London, UK: Westminster Bridge attacker Khalid Masood allegedly sent a WhatsApp message that cannot be accessed by the police because it was encrypted. “We need to make sure that organizations like WhatsApp — and there are plenty of others like that — don’t provide a secret place for terrorists to communicate with each other,” said British Home Secretary Amber Rudd, trying to urge WhatsApp to provide a backdoor for British intelligence and law enforcement.

Australia government plans to ban end-to-end encryption, going as far as to claim the laws of mathematics no longer apply in Australia. “The only law that applies in Australia is the law of Australia”, says Australian Prime Minister Malcolm Turnbull in a move to demand backdoor access to WhatsApp (and other messaging services) encrypted communications.

UAE already blocks WhatsApp voice and video calls as part of their policy on VoIP calls along with Azerbaijan, Belize, China, Iran, Kuwait, Morocco, Oman, Pakistan, Paraguay, and Saudi Arabia. Do these countries have a higher crime rate or a higher threat terrorism, or do they block WhatsApp for political reasons?

One thing the governments need to clearly understand: WhatsApp is not a weapon of mass destruction. It’s just a reasonably convenient, reasonably secure tool that, for one reason or another, gained a large user base and became extremely popular with consumers. It’s not even a social network; it’s just a point-to-point messaging app with good protection against eavesdropping.
If a government bans encryption in ‘big’ messengers, they’ll have to ban a range of open-source projects that are well beyond their reach and their jurisdiction. The bad guys will simply move to a different platform, of which there is no lack of. It’s the regular Joe and Jane who will be left without protection.

WhatsApp Encryption Controversy

UK’s Prime Minister Theresa May blames the Internet in general and WhatsApp in particular for recent terror attacks in London, calling for banning what “provides a safe space for terrorists”. What could that be? The Internet and WhatsApp. Why? Because it’s beyond reach of law enforcement authorities.

The UK and Australia call for banning encryption and forcing manufacturers to include obligatory backdoors into their security systems, arguing that the laws of mathematics don’t apply down under. At the same time, the EU proposes quite a different legislation, banning encryption backdoors and making end-to-end security mandatory across most of Europe. At the same time, Austria proposes a law making it legal for the cops to intercept encrypted messages, while Germany passes a law making it legal for the police to hack suspects’ devices.

If all those contradicting laws are passed, manufacturers will have a difficult choice to make. They’ll have to either provide backdoors and break EU laws; provide no backdoors and break British and Australian laws; fork their products into regional branches (and do something about Brits who want to chat with people in continental Europe, and vice versa); or just cease to exist.

USA, Germany Can Hack into WhatsApp Users’ Phones

Not every government, it seems, is ready to spy on its citizens. Take the USA, for example. Intelligence agencies always wanted access to encrypted communications, which is technically not easily possible (and sometimes completely impossible). As a result, the CIA has developed an exploit that targets individual devices (presumably, Android smartphones). Using this exploit, experts can compromise end point devices sending or receiving those messages. By taking control of end-user devices, the expert can control and access everything on a smartphone, naturally including messages sent and received. This is not about defeating encryption; this is about intruding into the user’s physical device.

The thing is, the CIA exploit is all about getting malware onto phones. It’s not about breaking, exploiting or compromising WhatsApp encrypted Signal communication protocol. Following a similar path, German police could be legally allowed to hack suspects’ smartphones. The new legislation would enable German police to hack into encrypted messengers like WhatsApp using state-managed malware. The malware would intercept WhatsApp messages prior to encryption.

Technical Feasibility of WhatsApp-Spying Malware

Is the use of malware by law enforcement feasible? For some devices, absolutely, this could be technically possible. However, speaking or iOS devices and iPhones in particular, installing malware onto any such device could be troublesome from the technical standpoint. Even if installed, malware running on an iPhone would have very limited access to device user’s activities.

We at ElcomSoft don’t believe in malware for the purpose of WhatsApp extraction. We don’t believe in hacking the Signal protocol either. And most definitely we don’t believe in network-level blocking of WhatsApp or any other secure messenger.

On the other hand, we fully support the effort the law enforcement puts investigating crime. We have tools for breaking encryption for a lot of different formats. We have a tool for breaking into WhatsApp as well. Did we say iPhones are secure, and WhatsApp even more so? Something new is coming from ElcomSoft to extract and decrypt iPhone users’ WhatsApp communications. It’s just around the corner. Stay tuned.

Even More Controversy

It is of course completely impossible to cover the entire issue of point-to-point encryption in a single article even for one particular tool, and even if we were only talking about a single country. Various existing and proposed legislations make it even more difficult. We collected a handful of links to resources covering WhatsApp controversy. Enjoy your reading!