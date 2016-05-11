The attacker first try to duplicate the mobile phone number of the first victim, probably by social engineering their phone company. This part may look difficult to do, but it is not hard if you realize you do not need to target anyone special - everyone uses WhatsApp, so any number gives a high probability of success.
After getting the first victim number, the attacker install WhatsApp, which gladly verifies the user via SMS - WA has no login, no password, so anyone receiving the SMS can impersonate anyone else.
As Whatsapp does not send any alert of key change by default, the attacker is free to impersonate to person - in this case, he simply asks for some borrowed money to be transferred to a bank account, which will be paid soon. The recipient has no reason to distrust the message - it is being sent by his friend in the same chat window as they always talked to, even the logs are there. There is no message to warn about the potential issue, by design!
This is no hypothesis - this is actually happening for some time, now.[1] This design feature surely has some loyal users.
[1]http://www.correiobraziliense.com.br/app/noticia/cidades/201...
reply
People love to blame WhatsApp, but what can anyone realistically do?
"Wow, he is asking me in excess of USD500 just after WhatsApp warned me his cell phone has changed. Weird".
The simple alert shown in moxie's own blog post [1], perhaps less cryptically written, would probably do the job.
Heck, if this happened between me and girlfriend last week, I would most probably fall, as I did not know this was disabled in WhatsApp. Now, at least, I have turned the notification on.
[1] https://whispersystems.org/blog/images/whatsapp-keychange.pn...
At least that way, everyone will become aware at least once and make their choice.
That sounds like a fatal flaw. Could not any GNU Radio user dump these by the thousands?
You'll need to be next to the actual phone number user when you request, and the victim will receive the SMS. Also, the victim would be shut out of WhatsApp (it allows only one client to be active), which would probably trigger some reaction.
Sounds like a nice hack, nevertheless.
WhatsApp backdoor allows snooping on encrypted messages, https://news.ycombinator.com/item?id=13389935
There is no WhatsApp 'backdoor', https://news.ycombinator.com/item?id=13394900
> [WhatsApp's representative is] technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance.
> How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
This security application is not secure but it is usable.
Either your security will or won't be compromised by a given threat model. This is binary, but there's lots of different threat models one could have.
e.g. If you care about the Russian government impersonating you, it's a different threat model than if you care about the US government reading your communication, which is a different threat model than if you care about a private actor encrypting all your data and holding it ransom.
This is then complicated by the fact that we can't see into the future (sufficiently complicated code is likely to have bugs, we need to predict if those bugs will be exploited before they are fixed; large government attackers may or may not know about math that the public crypto community doesn't; which governments will successfully compel a third party to do various things or reveal various secrets &c.) so each binary value for the security becomes probabilistic.
"He (Moxie) said: “The choice to make these notifications ‘blocking’ would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could man-in-the-middle transparently and who it couldn’t; something that WhatsApp considered very carefully.”
This claim is false. Those “blocking” clients could instead retransmit a message of the same length that just contains garbage and this message would just not be displayed by the receiver’s phone. Encryption guarantees the garbage or real messages are indistinguishable in the encrypted form. Hence, this technique would make identifying users with the additional security enabled on a large scale impossible."
This was raised in the previous WhatsApp vuln thread but as far as I'm aware, Moxie is yet to address this criticism. Would be good to get a response on this.
[1] https://www.theguardian.com/technology/2017/jan/16/whatsapp-...
Presumably any message which would be detectable enough as garbage to not be displayed on the reader's phone could be treated as them having this feature enabled, allowing the information-leak Moxie mentioned.
(To be clear, I do think there's a argument to be had over which of these leaks is worse. I just don't think this suggested approach actually addresses Moxie's concern.)
Given that WhatsApp brokers the initial key exchange, lawful interdiction can take place at WhatsApp under subpoena. What we hope is the case is that WhatsApp would fight these orders in court, claiming that the keys are merely forwarded and aren't stored by design. But if they fought and lost, then presumably they'd comply with the orders and the provision not to reveal the order. Do we really think that WhatsApp and/or Facebook have the conviction of Ladar Levison?
It would seem that all new accounts created at WhatsApp after that theoretical warrant is executed are at risk.
It's not like SSH in which separate and discrete components generate the keypair and verify fingerprint on connection.
I also don't see the difference between this and SSH. If your SSH server or client is backdoored/compromised, you have no control over what happens with your plaintext, no matter what the fingerprint verification tells you. The only difference is that one is open source, so the likelihood that a backdoor is detected is probably higher, though I don't think this means a) there is no backdoor and b) a backdoor in a closed-source app cannot be detected.
1) Police arrest a drug dealer, who manages to turn his phone off by smashing it on the floor and the battery pops out, in the same step also locking the data from readout if the device is using FDE
2) Cops now take the SIM card, compel the provider to provide the PUK to unlock the SIM card and insert it into their own smartphone
3) Cops activate WhatsApp and now can read any messages sent after the arrest, thus discovering potential clients. They can also impersonate the drug dealer and arrange sting operations.
There's really no way to avoid out-of-band key verification in end-to-end encrypted messaging unless you fully trust the service. Other than that, the best you can hope for is after-the-fact detection of MitM attacks through something like Key Transparency, but that still requires that someone's actively looking for that.
... and that notification would be shown after that potential client's WhatsApp client had re-encrypted the undelivered messages and re-sent them.
I don't see how WhatsApp would be vulnerable in this scenario assuming they change this behaviour, but OP claims there's still a big gaping hole.
But only for messages sent by the sender AFTER the key-change notification. Those still in the send queue get re-encrypted with the new key of the cop phone and then resent without confirmation, and this is the attack window and the bug!
Oh, and most people don't enable the key-change notification anyway so they won't even know that their dealer got arrested.
1) WhatsApp makes user X appear offline
2) User Y sends user X a message
3) WhatsApp sends user Y an indication that user X's key has changed, along with the public key for which they have the corresponding private key
With these steps, user Y's message will be resent with the new key that WhatsApp knows, and so they can read the message. There is a configuration setting that will display a notification that the key changed, but no way to prevent an undelivered message from automatically being resent with the new key.
The attacker first try to duplicate the mobile phone number of the first victim, probably by social engineering their phone company. This part may look difficult to do, but it is not hard if you realize you do not need to target anyone special - everyone uses WhatsApp, so any number gives a high probability of success.
After getting the first victim number, the attacker install WhatsApp, which gladly verifies the user via SMS - WA has no login, no password, so anyone receiving the SMS can impersonate anyone else.
As Whatsapp does not send any alert of key change by default, the attacker is free to impersonate to person - in this case, he simply asks for some borrowed money to be transferred to a bank account, which will be paid soon. The recipient has no reason to distrust the message - it is being sent by his friend in the same chat window as they always talked to, even the logs are there. There is no message to warn about the potential issue, by design!
This is no hypothesis - this is actually happening for some time, now.[1] This design feature surely has some loyal users.
[1]http://www.correiobraziliense.com.br/app/noticia/cidades/201...
reply