

WhatsApp is using your IMEI number as password - dutchbrit
http://samgranger.com/whatsapp-is-using-imei-numbers-as-passwords/

======
deltaqueue
An "Ask HN" that's somewhat related:

Is Facebook doing something similar on Android? I have left an application
update pending for weeks because Facebook requires access to _Phone Calls_ ,
which allows the application to "determine the phone number and serial number
of this phone, whether a call is active, the number that call is connected to
and the like."

This does not sit well with me.

~~~
galadriel
I also don't allow any app requiring those details (unless they are needed
obviously, like VoIP), but I think what most companies want is the unique
serial number, so they can keep a track of how many unique devices are used by
them. But since Android does not gives permission at more granular level, I
simply don't install any such app, or don't upgrade one which ask for it.

As for Facebook, I am using Tinfoil for Facebook app (It is a website wrapper,
essentially). It was faster than whatever app Facebook managed to write.

~~~
antrix
> Tinfoil for Facebook

And Tinfoil is better integrated with the Android system than the official
Facebook app. Click a Facebook link in an app or browser - you'll get Tinfoil
as an option to view the link but not the official app.

~~~
eyevariety
What a brilliant name! We need a tinfoil chrome extension.

------
Xuzz
There is no public API on the iPhone to access the IMEI, so at least it is
pretty conclusively not using that there.

~~~
objclxt
Good post - although for posterity retrieving a phone number doesn't work as
described in all cases. Calling `getLine1Number()` on a GSM phone will return
the MSISDN, _but_ not all carriers store the MSISDN on the SIM (for security
reasons), so it will in some cases return null. This is a somewhat moot point,
because there are other ways to find mobile numbers!

As you point out, this is almost certainly an Android specific implementation,
because there's no way to get either the MSISDN or the IMEI through iOS using
the public API (if it was to transpire that WhatsApp were using private calls
to obtain them then that would be another story entirely).

~~~
francuzz
MSISDN file on the SIM card (EFmsisdn) is optional and has default access
rights allowing you to modify it with just a PIN(CHV1) code (see 3GPP TS
51.011). Therefore, information stored in this file is not very reliable,
since everyone knowing the PIN code of the card can change it's content. I do
not think it has anything to do with the security reasons...

I do not see anything wrong with using IMEI as a seed for a password
generation, the problem is that this number should be encrypted using proper
encryption method and not just transformed using MD5 hash function.

------
eclipxe
Small nitpick - MD5 is not technically "encryption"

From the article: " likely to be an inverse of your phones IMEI number with an
MD5 encryption thrown on top"

MD5 is a digest...not encryption

~~~
mparlane
He fixed it.

------
program
This is well-known. I'm curious to know how they get the IMEI on iOS cause
there isn't a public API but only an undocumented method on the
CoreTelephony.framework. Using a private method is one of the easiest ways to
be banned from the App Store. BTW on January 13, 2012, Whatsapp was pulled
from the iOS App Store for 4 days. I think they were pardoned by Apple because
of the popularity of the application.

------
typpo
Deleted post from Google cache:
[http://webcache.googleusercontent.com/search?q=cache:samgran...](http://webcache.googleusercontent.com/search?q=cache:samgranger.com/whatsapp-
is-using-imei-numbers-as-passwords/)

------
dskang
From your post, it seems like you didn't contact WhatsApp before publishing
this post. What was your reasoning for going public with this vulnerability
before at least trying to contact them and giving them a chance to resolve the
issue?

~~~
LaGrange
This is a well-known design decision on their side. This is not as much a
discovery as bringing it up.

~~~
ariannahsimpson
Is there a particular reason (that you're aware of) for this decision? I'm
certainly no expert on the matter, but it seems risky to store everything like
that, especially unsalted. LinkedIn, anyone?

~~~
LaGrange
The problem isn't storing -- remember that we don't know how they store it, we
only know how the password is generated. IMEI is intended to be unique and
private -- e.g. knowing your IMEI might be enough to report the phone as
stolen. If someone knows your IMEI they most likely have enough control over
the phone to either completely spoof it or put malicious software on it. This
makes it a reasonable tradeoff against implementing "proper" passwords, with
their own ton of problems.

~~~
zurn
> IMEI is intended to be unique and private

It's intended to be unique but not secret and not hard to guess. It's a bit
like your SSN or a computer's MAC address.

> If someone knows your IMEI they most likely have enough control over the
> phone to either completely spoof it or put malicious software on it

Err, no? Your phone can be asked to broadcast it via radio, your phones
previous owner / sales clerk knows it, etc, your wife/gf knows it, etc. Now
it's trivial for any of those to gain access to your WhatsApp without any
active and sophisticated attack requiring physical access.

Sure, with sufficient effort it might be possible for someone sniffing radio
or having at some point handled your phone to subvert it in other ways, but
this is zero effort.

------
shmerl
Can anyone explain in general what is the point in WhatsApp which isn't
compatible with anything except itself, vs normative XMPP/Jingle client
through which one can communicate with any user from federated XMPP servers? I
have hard time understanding why new closed (walled garden) IM networks appear
in these day and age.

~~~
marquis
It's quite popular in countries where buying SMS credits is not always an
afforded cost, but public wifi is everywhere. Basic Android phones are fairly
popular and inexpensive given that they double as a web browser and
communication device for many.

~~~
shmerl
That's understandable, but my question was about creating WhatsApp vs making a
regular conformant XMPP/Jingle client which also simply works through TCP and
UDP. The later gives free choice of what XMPP server to use and allows
communicating with users of other federated servers. WhatsApp allows
communicating only with WhatsApp if I understand correctly.

~~~
njs12345
I would imagine this is a plus for them, sadly. It's probably easier to
extract revenue from a walled garden than an equally user-friendly XMPP
client.

------
mobweb
_If you installed WhatsApp on an Android device for example, your password is
likely to be an inverse of your phones IMEI number with an MD5 encryption
thrown on top of it (without salt)._

How does OP know this? Was there a leak of "passwords" or did he find this
through trial & error?

 _Edit: Just found out that's what it says even on the Wikipedia entry about
WhatsApp[1]._

[1]: <http://en.wikipedia.org/wiki/WhatsApp>

~~~
rjzzleep
it's called reverse engineering though. it's much easier to use reverse ios
code than that weirdass dex format though imho

~~~
gipsies
You can convert .dex files back to .class files, and then use a java
decompiler. Not all functions will be properly decompiled but overall it's
still quite good. Knowing this, reversing Android apps is actually a lot
easier.

------
elliottcarlson
While it may not be the case in this scenario (since Sam says in a response on
here that he sent them a message a few days ago), everyone should always be
responsible in how they disclose flaws or discoveries in software:

<http://en.wikipedia.org/wiki/Responsible_disclosure>

~~~
kefs
> _So just as giving a vendor no time to fix a vulnerability is irresponsible,
> so is it even more irresponsible to give that vendor a blank rain check._

[http://kevtownsend.wordpress.com/2012/09/01/java-
vulnerabili...](http://kevtownsend.wordpress.com/2012/09/01/java-
vulnerability-and-irresponsible-disclosure/)

------
anonuser302
No offense but what is the big deal about this...This seems to be extremely
low risk if you can even call it a risk, and hardly a vulnerability..

Every method on your website to “exploit” this is retrieving IMEI number
through alternative ways which would mean the phone would be compromised
anyway...If someone can compromise the phone who cares about this?

Maybe whatsapp can be accessed more easily but isn't that moot if you already
have phone access..If you have phone access already why would an attacker care
about whatsapp?

Whatsapp is not necessarily insecure based on this..You are giving whatsapp
bad publicity for no reason

I don't even think it's a design flaw that they used that as the password
because if someone has phone access, and/or access to their number already
then they are probably screwed anyway

please correct me if I'm missing the actual vuln here..

~~~
zurn
Your IMEI isn't secret: not random/hard to guess, and not private. It's like a
MAC address. Except you can't change it.

~~~
anonuser302
This still seems minor. If someone is able to get the number doesn't that
spell larger issues than whatsapp? I get the point being made and I understand
the potential issue, but I don't see how its a major security problem with
whatsapp as I figure things are probably compromised anyway if the user is
able to get the IMEI to begin with

~~~
zurn
> If someone is able to get the number doesn't that spell larger issues than
> whatsapp?

No, since it's not a secret. Why would outing your IMEI spell large issues?

~~~
anonuser302
even if you have the users phone nurmber and imei nuumber one would assume u
already have access to other info then anyway so who cares about whatsapp Can
you easedrop on whatsapp sessions from another phone using this info?

------
thebigpicture
Asking users to participate in "two-factor authentication" seems like a great
way to match people's personal information to particular devices.

So maybe we have a double-edged sword here. If you want to be able to
authenticate you have to give some company the ability to track you and
monitor all your activity (which they will try to "monetize"). It sounds sort
of tinfoil hat but this is what we are facing.

The reason: We insist on using the web and other "client-server" approaches
for almost everything we do using the internet, instead of considering end-to-
end, peer-to-peer approaches. Things are so insecure when everyting goes
(mostly) unencrypted over the open web via middleman (Facebook servers, Gmail
servers, etc.) that we need to try things like "two-factor authentication".

------
CrazyRobot
This actually seems to me like a perfect solution (from WhatsApp's side). This
way as long the user has the same phone number, he/she doesn't have to
remember any credentials, which is probably the main reason (or one of the top
3) for people using WhatsApp in the first place.

And as for the "security problem", if someone has access to your phone they
can just maliciously use the app itself. I'm not saying that this should just
be ignored, but in this specific case the author had probably created the
bigger part of the security threat by publishing the article.

~~~
aw3c2
An unsalted(!) md5(!) is never a perfect solution unless your goal is
insecurity. The idea of using the IMEI as unique device dependant string for
hash generation is good but you must make it impossible for anyone to find out
how the hash is created or it is a glaring security hole (as demonstrated).

Many many apps have permissions to read the IMEI. Just as many have access to
the internet. Add whatever permission is needed to find out the device's phone
number and you have all you need.

~~~
CrazyRobot
I'm assuming that they (WhatsApp) were trying to make the experience as close
as possible to SMS without help from the carriers, so by using the phone
number (which they verify, by the way) and the phone itself as the credentials
-- only one of which most people replace, and that's mostly once every 2-3
years -- is a great idea for getting users to their platform with a minimal
security tradeoff, hence in my opinion a perfect solution.

And again, if an app had fooled a user for permissions to get their phone
number they could probably just ask for permissions to send and receive SMS's
-- which is what some _banks_ (at least here, in Israel) use to verify online
accounts.

------
thepumpkin1979
Un-official What's App API for PHP and Python:
<https://github.com/venomous0x/WhatsAPI>

------
hubail
A reference to <https://github.com/venomous0x/WhatsAPI/> wouldn't hurt you,
author.

------
st3fan
The more scary part of this is that WhatsApp probably has a database with
phonenumber/imei number pairs on their servers.

The fact that their API uses the IMEI is not great but relatively low risk.

Wait until their servers get hacked and that list of how-many-million pairs of
phone/imei numbers gets released.

Setups like this are time bombs.

------
robk
Though the post is deleted now I suppose this is true. I have a dual-mode
GSM/CDMA phone and WhatsApp fails when it switches between modes. The app
stays the same so it's clearly polling the ESN (CDMA side) and IMEI (GSM side)
to validate. When I switch between active sides of the device, WhatsApp
consistently requires a re-validation.

------
stephengillie
Nothing Found Sorry, the post you are looking for is not available. Maybe you
want to perform a search?

~~~
dutchbrit
Fixed, sorry!!

------
eamodio
Whatsapp for iPhone uses a MD5 hash of mac address taken twice. For details
look at <http://www.ezioamodio.it/?p=29>

------
jtokoph
Does the deleted post mean that it contained false info?

~~~
dutchbrit
No, I made 2 noobish mistakes.

1) I edited the default wordpress post, dated from May 2) I set the time for
the future without noticing (wrong timezone!!)

------
deepGem
mPhoneNumber = tMgr.getLine1Number(); This doesn't work. The phone number is
not stored in the device but is assigned by the operator and stored in (god
only knows where) location, at least here in India.

------
dfc
"Dial *#06# for IMEI"

Does anyone know any other neat tricks like this?

~~~
kristofferR
Sure.

On iPhones, try _3001#12345#_ .

On Android it often depends on the specific model you have. Here are some for
the Samsung S3:

 _#06# Show IMEI number

_ #0 _# LCD Test Menu

_ # _#4636#_ #* user statistics and Phone Info

 _#0011# Displays status information for the GSM

_ #1234# View SW Version PDA, CSC, MODEM

 _#12580_ 369# SW & HW Info

 _#197328640# Service Mode

_ #32489# (Ciphering Info)

 _#232337# Bluetooth Address

_ #232331# Bluetooth Test Mode

 _#232338# WLAN MAC Address

_ #232339# WLAN Test Mode

 _#0842# Vibra Motor Test Mode

_ #0782# Real Time Clock Test

 _#0673# Audio Test Mode

_ #0 _# General Test Mode

_ #2263# RF Band Selection

 _#872564# USB Logging Control

_ #4238378# GCF Configuration

 _#0283# Audio Loopback Control

_ #1575# GPS Control Menu

 _#3214789650# LBS Test Mode

_ #44336# Sofware Version Info

 _#7780# Factory Reset

_ 2767 _3855# Full Factory Reset

_ #0289# Melody Test Mode

 _#2663# TSP / TSK firmware update

_ #03# NAND Flash S/N

 _#0589# Light Sensor Test Mode

_ #0588# Proximity Sensor Test

 _#3282_ 727336 _# Data Usage Status

_ #7594# Remap Shutdown to End Call TSK

 _#34971539# Camera Firmware

_ #528# WLAN Engineering Mode

 _#7412365# Camera Firmware Menu

_ #07# Test History

 _#3214789# GCF Mode Status

_ #272886# Auto Answer Selection

 _#8736364# OTA Update Menu

_ #301279# HSDPA/HSUPA Control Menu

 _#7353# Quick Test Menu

_ 2767 _4387264636# Sellout SMS / PCODE view

_ #7465625# View Phone Lock Status

 _7465625_ 638 _# Configure Network Lock MCC/MNC

#7465625_638 _# Insert Network Lock Keycode

_ # _#7780#_ #* Factory data reset - Clears Google-account data, system and
program settings and installed programs. system will not be deleted, and OEM
programs, as well as My Documents (pictures, music, videos)

~~~
m_eiman
_##7780##_ * _Factory reset_

This seems a bit dangerous. Does it require any kind of password?

~~~
RKearney
I just tried it on an HTC Incredible 2 on Verizon. Nothing happened. No error
message, just back to the dialer.

EDIT: I see now it was stated these are SIII specific. Guess that explains why
nothing happened for me.

------
rjzzleep
skype and viber also need your imei to function. the skype example is
particularly interesting since it's complementary to the username + password
we already have.

------
jaimehrubiks
Any news about the renewed authentification system?

