Intercepting WhatsApp: Reality or a hoax?

Sazzad Ahmed

While there is question centering intercepting the WhatsApp conversation and text, some people will confidently say – it is as simple as intercepting your mobile phone or land phone conversations. Others will say, intercepting WhatsApp is no big deal. It is a simple process as intercepting emails or Skype. But, the billion-dollar-question still remains unresolved. No one really can show with evidences that WhatsApp too is accessible and stealing contents are very easy – if not a mission impossible. All of us know, WhatsApp is a venture of Facebook, where the owners are putting hundreds of millions of dollars in regularly updating the security system.

Being nosey is part of human nature. Since the beginning of time, mankind has always managed to invent mechanisms to spy on his fellow humans and find out what is being said in conversations that have nothing to do with him. And the most important channel of communication of our time also has to put with this problem: instant messaging and its undeniable leader, WhatsApp Messenger. That’s why nobody should be surprised that now and again applications that promise to provide us with the tools necessary to spy on the conversations of friends and strangers pop up out of the blue so that we can find out what they’re talking about behind or back. Obviously, none of these apps are available on Google Play, firstly because they’re a violation of the user’s privacy, and secondly because the majority of them are a scam and don’t do anything they promise.

One of the most popular apps of this category goes by the name of WhatsApp Sniffer, the APK of which people can download, although it must advise that it’s not worth wasting time. Like all these applications, if they ever managed to work allowing reading other people’s WhatsApp conversations, in 2016 and with the subsequent security updates of this messaging service, they don’t do absolutely anything apart from taking up space on the phone or SD card.

But still, the argument centering ability and technology of intercepting WhatsApp conversation and texts are going on. There even is some interesting information showing this as a “mission possible.”

In 2016, the biggest story out of Silicon Valley was Apple’s battle with the FBI over a federal order to unlock the iPhone of a mass shooter. The company’s refusal touched off a searing debate over privacy and security in the digital age. But this morning, at a small office in Mountain View, California, three guys made the scope of that enormous debate look kind of small. Mountain View is home to WhatsApp, an online messaging service, owned by tech giant Facebook, that has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who go by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.

This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front – one that spans roughly a billion devices.

“Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that,” says Acton, who was employee number forty-four at Internet giant Yahoo before co-founding WhatsApp in 2009 alongside Koum, one of his old Yahoo colleagues. With encryption, Acton explains, anyone can conduct business or talk to a doctor without worrying about eavesdroppers. With encryption, he says, you can even be a whistleblower—and not worry.

Acton and Koum started adding encryption to WhatsApp back in 2013 and then redoubled their efforts in 2014 after they were contacted by Marlinspike. The dreadlocked coder runs an open source software project, Open Whisper Systems, that provides encryption for messaging services. In tech security and privacy circles, Marlinspike is a well-known idealist. But the stance he has taken alongside Acton and Koum—not to mention the other WhatsApp engineers who worked on the project and the braintrust at Facebook that’s backing the effort—is hardly extreme in the context of Silicon Valley’s wider clash with governments and law enforcement over privacy. In Silicon Valley, strong encryption isn’t really up for debate. Among tech’s most powerful leaders, it’s orthodoxy. And WhatsApp is encryption’s latest champion. It sees itself as fighting the same fight as Apple and so many others.

Like so many tech startups, WhatsApp’s success seems a bit accidental. Acton and Koum originally conceived of their app as a way for people to broadcast their availability to friends, family, and colleagues: Could they talk or text at that very moment or not? But it soon morphed into a more general messaging app, a way to trade text messages via the Internet without using the SMS networks operated by cellular phone carriers like Verizon and AT&T. But the real genius of the app is that very early on, Acton and Koum targeted the international market.

In the startup’s first year, they offered the service in German, Spanish, French, and Italian, among other languages, and it rapidly took off overseas, where SMS text fees are much higher in than US. Today, the company offers the app in more than 50 languages, and it has grown into the primary social network in so many of the world’s countries, including Brazil, India, and large parts of Europe. In many places, local wireless carriers have signed deals with WhatsApp to offer the service directly to their customers, undermining their own texting services but driving more people to use the wider Internet through their wireless networks—and thus driving more revenue.

By February of 2014, WhatsApp had reached about 450 million users, and Facebook shelled out $19 billion to acquire the startup, with its staff of only 50 people. Since then, with only a slight expansion of staff, WhatsApp has come to serve more than a billion people across the globe.

Koum and Acton share a long history in computer security. They first met at Yahoo while doing a security audit for the company. During this time, Koum was also part of a seminal security collective and think tank called w00w00 (pronounced “whoo whoo”), a tight online community that used the old IRC chat service to trade ideas related to virtually any aspect of the field. Koum grew up in the Ukraine under Soviet rule before immigrating to the US as a teenager, so he has some intimate familiarity with the challenges of maintaining privacy in the face of an intrusive government. But Koum says that the bigger force behind encrypting WhatsApp was Acton, a comparatively outgoing individual who grew up in Florida. “Brian gets a lot of credit for wanting to do it earlier,” Koum says of WhatsApp encryption.

There are plenty of companies like Wintego Cyber Intelligence, which are believed to be capable of having the technology of intercepting WhatsApp. Companies like WtfAndroid claims to have the technology of intercepting WhatsApp conversation and texts. Again it says, “Once you are in the app ,its quite easy to operate . But do keep in mind this app only works on devices which are using the same Wifi Network if not this app wont work as this app uses TCPDump Programme which reads all Packets received over Wifi and then filters whatsapp servers packets and show it in easy dramatic readable format. This app doesn’t work against Blackberry devices as it uses its own servers to communicate, for everyone else it works smoothly.”

Unless the SmartPhones are connected to the same WiFi, those WhatsApp interceptors available in the market won’t work at all. Unless someone is willing to spy on their own family members of colleagues, using the same WiFi network, none of the WhatsApp interceptors will actually work. So, people in the same WiFi network certainly are vulnerable to interception.

The Guardian published a report claiming WhatsApp were using a backdoor to pass the information on any user to the law enforcing agencies. In response to the Guardian’s original exclusive, Moxie Marlinspike, a security expert and founder of Open Whisper Systems, said that the newspaper’s report about WhatsApp having a backdoor is false. He said, among other things: “The fact that WhatsApp handles key changes is not a ‘backdoor’; it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.

He said, “WhatsApp’s encryption uses Signal Protocol, as detailed in their technical whitepaper. In systems that deploy Signal Protocol, each client is cryptographically identified by a key pair composed of a public key and a private key. The public key is advertised publicly, through the server, while the private key remains private on the user’s device.

“This identity key pair is bound into the encrypted channel that’s established between two parties when they exchange messages, and is exposed through the “safety number” (aka “security code” in WhatsApp) that participants can check to verify the privacy of their communication.

“Most end-to-end encrypted communication systems have something that resembles this type of verification, because otherwise an attacker who compromised the server could lie about a user’s public key, and instead advertise a key which the attacker knows the corresponding private key for. This is called a “man in the middle” attack, or MITM, and is endemic to public key cryptography, not just WhatsApp.

“One fact of life in real-world cryptography is that these keys will change under normal circumstances. Every time someone gets a new device, or even just reinstalls the app, their identity key pair will change. This is something any public key cryptography system has to deal with. WhatsApp gives users the option to be notified when those changes occur.

“While it is likely that not every WhatsApp user verifies safety numbers or safety number changes, the WhatsApp clients have been carefully designed so that the WhatsApp server has no knowledge of whether users have enabled the change notifications, or whether users have verified safety numbers. WhatsApp could try to “man in the middle” a conversation, just like with any encrypted communication system, but they would risk getting caught by users who verify keys.

“Under normal circumstances, when communicating with a contact who has recently changed devices or reinstalled WhatsApp, it might be possible to send a message before the sending client discovers that the receiving client has new keys. The recipient’s device immediately responds, and asks the sender to re-encrypt the message with the recipient’s new identity key pair. The sender displays the “safety number has changed” notification, re-encrypts the message, and delivers it.

“The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a “double check mark,” it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.

“The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.

“The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.” In other words, when a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.

“Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user’s communication, along with a simple user experience. The choice to make these notifications “blocking” would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could MITM transparently and who it couldn’t; something that WhatsApp considered very carefully.

“Even if others disagree about the details of the UX, under no circumstances is it reasonable to call this a “backdoor,” as key changes are immediately detected by the sender and can be verified.”

On December 4, 2017, Forbes Magazine published an article where it discussed the possibility of intercepting WhatsApp communications. Forbes article said, “For the general Smartphone user, there was some good news from Milipol, one of the world’s biggest homeland security conferences that took place in Paris late November: WhatsApp and Signal are incredibly difficult to snoop on. Amongst the bleeding-edge surveillance vendors who spoke with Forbes, there was a consensus that the only truly effective way to get access to end-to-end encrypted messages was to install malware on targets’ smartphones. And, they added, one of the best ways to do that was to force targets to join rogue Wi-Fi hotspots before launching attacks.

Otherwise, it’s not so easy, even for the smartest current and former spies flogging their tools at the Parc Des Expositions. Snooping on WhatsApp requires either an attack on the app itself or a hack of the mobile device, typically by exploiting vulnerabilities unknown to everyone apart from the hacker, known in the industry as zero-days. They can be costly, more than $1 million for the likes of Apple’s iPhones.

“To get around those hurdles, there are various delivery mechanisms for malware (Trojan appeared to be the more acceptable term on the Milipol show floor) to be silently installed on the device. Many are now looking to Wi-Fi as the way in: setting up interception hotspots, detecting devices of interest, forcing them to join their network and then launching attacks from there.

“Some are offering an astonishing array of features on top of the basic Wi-Fi attacks. Take Almenta, a firm based in Bulgaria, but whose operators, including CEO Ari Covitz, are Israeli. A brochure detailed one product, the WiNA-P, from which a range of attacks could be launched at a target. For instance, Almenta offered packages to deliver payloads on Android and iOS devices, promising “data extraction” for Facebook, WhatsApp, Telegram and Skype messages.

“The company also offered phishing capabilities, setting up fake landing pages to trick people into handing over their usernames and passwords for the likes of Facebook and Google. An “Account Grabber” feature appeared to determine what iCloud or Android account belonged to a target by sending them “random messages.” Almenta, which also has an office in Philadelphia, P.A., claimed it’s possible to do all this from up to 500 meters away with as many as 50 concurrent targets.

“Forbes contacted Almenta chief Ari Covitz to ask about the technology’s capabilities, but he didn’t respond. Two sources claimed Almenta’s Wi-Fi tech wasn’t its own but that of others from the Israeli surveillance scene, including WiSpear, a firm founded by long-time interception specialist Tal Dilian, and Jenovice, a WiSpear rival. Sources with knowledge of both companies, who would only speak anonymously as they weren’t authorized to speak on record, claimed the range of the Wi-Fi attacks could extend to 1km with powerful amplifiers. One of the sources said the cost for such tech starts at $1 million, rising to around $3 million.

“WiSpear was slightly more modest in its claims than Almenta. It showcased similar “man-in-the-middle” snooping techniques, relying on others to supply the requisite exploits and Trojans. A spokesperson gave Forbes a brief presentation on WiSpear’s man-in-the-middle attacks, showing maps of real attacks the company had tried out in tests, most carried out from a distance of up to 200 metres. Simple obstacles, whether trees or buildings, could limit attacks, which required a consistent connection to complete the process of installing spy tools on a cellphone via Wi-Fi.

“Further hinting that Wi-Fi is currently the best way to start spying on encrypted communications, a range of other firms were selling competing technology, including another two from Israel in the form of Rayzone and Wintego (previously featured in Forbes hacking WhatsApp from backpacks).

Are Israeli tech companies having WhatsApp interceptors?

The answer is affirmative. But, such sophisticated systems are not for sale in the market. The companies may not even show any interest in selling such systems to any unfriendly country. Even for a friendly country like the United States, getting hold of such extremely sophisticated systems are not any easy task and not to mention the even the distant possibility for India – another friend of Israel is getting this “much-desired” tools.

In Blitz, we are aware of a lots of tech firms in the Jewish State, which are dedicatedly researching in inventing advanced technologies. For them, investing any software or device, which is fully functional and capable of intercepting WhatsApp communications are not at all impossible. But of course, those products are not easily accessible. Nor those companies would publicize their inventions. It is a kind of highly classified affair. Moreover, the main customer of such devices or software would be the security agencies in Israel.

Sazzad Ahmed is the managing editor of Blitz.

Leave a Comment