viernes, 8 de noviembre de 2013

Presenting "Defeating WhatsApp's Lack of Privacy" at BlackHat Sao Paulo


Follow @segofensiva to stay updated }:)

WhatsApp is a cross-platform (available for iPhone, Android, Blackberry, Nokia and Windows Phone, but no official desktop clients) instant messaging subscription service for smartphones, that let users send messages and multimedia files to each other. 

WhatsApp might not be as widely known as Twitter, but it is definitely just as popular in terms of users. The company announced that it has passed 350 million active monthly users (up 50 million from August). It’s interesting to compare that stat to Twitter, which has 230 million active monthly users, and to Instagram, which has 150 million on its platform.

According to the company, its users sent over 10 billion messages and received 20 billion messages per day during last August (counted separately because same messages are sent to multiple recipients). Just how much is 10 billion messages? That is 416,666,670 messages an hour, 6,944,440 messages a minute, and 115,704 messages a second... WhatsApp has done to SMS on mobile phones what Skype did to international calling on landlines!


THE RESEARCH

With the PRISM scandal, we began to question whether Microsoft, Google, Apple and Facebook were the only companies working with governments to spy on the behavior of its citizens. Could WhatsApp be one of these companies? Does WhatsApp store its user conversations? News of the threat by Saudi Arabia to declare applications illegal if the server was not established in that country (http://www.reuters.com/article/2013/06/16/us-saudi-internet-idUSBRE95F04R20130616) did not make us feel calm. These sort of things make us think that users are defenseless and no current measures to ensure the privacy of content shared on these platforms exists.

WhatsApp has been plagued by numerous issues in their security. Until August 2012, messages were sent in unencrypted plain-text format, making the system vulnerable to session hijacking and packet analysis. As of August 15, 2012, the WhatsApp support staff claim messages are encrypted in the latest version of the WhatsApp software, but without specifying the implemented cryptographic method, so we decided to start the research on this application.

The client authentication uses a custom SASL mechanism, called WAUTH-1. The client has to generate a key using PBKDF2 (16 iterations) with his password, challenge data received from the login session as salt and SHA1 as hash function. The resulting SessionKey can be quite long, however we require only the first 20 bytes for the key for RC4 (an stream cipher), which is used to encrypt and MAC. The problem is WhatsApp uses same encryption key in both directions, so an attacker could recover the original plaintext.

Because of this, if two messages are encrypted with the same key and an attacker can intercept them, like on an open wireless network, he can analyze them to cancel out the key and eventually recover the original plaintext information.

Game over for our privacy...



THE EXPERIMENT

The main objective of the research was to add a new layer of security and privacy to ensure that in the exchange of messages between members of a conversation both the integrity and confidentiality could not be affected by an external attacker. 

We defined different layers inside a new hierarchy of security:
    - The first layer of security involves adding secure encryption to the client. If an attacker intercepts the messages, or any governments try to intercept our messages at WhatsApp's server , they won't find any legible information. Only recipients that know the password and algorithm chosen will be able to decrypt the original message.
    - In the second layer, we give a certain level of anonymity to the conversation by using fake/anonymous accounts and intermediate communication nodes. We ensure that there is no direct communication between the mobile phone and the server.
    - Finally, a third layer would be set to modify the inner workings of the application, routing all traffic and conversation messages to our own server (XMPP) to ensure the privacy of communication and only using the original WhatsApp's servers to send fake and no-sense data. 



THE MAIN GOAL

We wanted to protect all of our rights and liberties so we developed this technique to be used in a manner completely transparent for the users and completely customizable. The main impact on society is providing a way to prevent prying eyes of governments and private corporations from analyzing our data and exchange of information for their own benefit.


It can be adapted to add new layers of security/privacy to Instant Messaging systems widely used on mobile devices. The process will involve anonymizing and encrypting the data (text, pictures, videos, etc.) exchanged between users so that when they reach application's servers they won't be in "plain text" and will only be legible for the people inside the conversation.