How Not to Design an Instant Messenger

One of the most popular IM services for smartphone users appears to be about as secure as a wooden barrel in a vat of termites.

See also: further reasons to take responsibility for your security, understand things instead of trusting them, and donate your smartphone to Will It Blend?.

Basically, they encrypted nothing until recently — when their super-seekret proprietary crypto scheme was broken within a month of release — and used device IMEIs or MACs as passwords while making use of device phone numbers as usernames.

(Good riddance — they uploaded every phone number from user address books to their servers, creating a Database of Ruin(tm) of every person their users knew)

Idea: if you live near their offices, grab a friend and stage a cross-stall conversation in a restroom their higher-ups frequent.

Also, more details on the Android remote-wipe flaw:
http://nakedsecurity.sophos.com/2012/09/26/are-android-phones-facing-a-remote-wipe-hacking-pandemic/

http://fileperms.org/whatsapp-is-broken-really-broken/

“Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. […]
The company claims that the latest version of the software will encrypt messages […] Update: their encryption is broken. […]

The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number[…]

On iOS devices the password is generated from the devices WLAN MAC address[…]

The username is the users mobile phone number – an attacker would probably already know the number.[…]

The IMEI can be obtained if you have physical access to the phone or if you control an app installed on the users device. The WLAN MAC address can be found using a network sniffer. Congratulations, you can now take over a users WhatsApp account¹. But how? Well, some people have done a excellent job reverse engineering the WhatsApp protocol. There is a working PHP class available that contains everything needed to build your own WhatsApp client: https://github.com/venomous0x/WhatsAPI […]

When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.[…]

Conclusion

Do not use WhatsApp. Really, don‘t.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: