WhatsApp’s Security Team Identifies Vulnerabilities
by Michael Dean Thompson
Metadata is the data that describes data. If you make a phone call, metadata describes that call’s external characteristics: source number, destination number(s), how long the call lasted, etc. Although the metadata does not describe content, it still delivers enough information about a connection that a significant amount of additional information can be inferred. Former National Security Agency (“NSA”) chief Michael Hayden once quipped, “We kill people based on metadata.” The security team at WhatsApp issued an internal warning that their messaging tool may be vulnerable to metadata discovery via traffic analysis. Some 2 billion users may therefore be at risk.
Traffic analysis works when nation states or other powerful actors have access to some number of the endpoints (that is, the sources and destinations of traffic). When person A sends a message to person B, the state with access to monitor the endpoints may notice a discreet chunk of data being sent from A, through WhatsApp. B then receives the same sized packet from WhatsApp a short time later. They do not need to have access to WhatsApp for this analysis to work. And while a single communication may not be enough to do more than create a correlation, more such communications, especially when they are bidirectional, help to improve the confidence in the correlation.
In the case of group messages, the content of the communications becomes more vulnerable with each new correlation. When it comes to digital security, a group communication is only as strong as the least secure participant. However confident any given user in a group may be in their digital hygiene, a single rootkit that finds its way into one member of the group effectively gives up the entire group.
Traffic analysis occurs outside the scope of the users and the app. WhatsApp, therefore, cannot know when an entity is watching the endpoints, any of the traffic between them. There are solutions to network analysis, but they may not be appealing to the end users or to app providers like WhatsApp.
One solution for WhatsApp might be to send out messages without a valid sender or receiver. Those messages obscure the valid messages, but they come at a price to both the sending and receiving processes in terms of data and processor usage, as well as battery life for portable devices. It helps to slow down the correlations because the participants receive random messages from the app provider that the app ignores. Likewise, the app sends messages the WhatsApp servers ignore. Because the fake message must appear valid to an external analyst, both ends must decrypt the message to know it is fake. For a service as large as WhatsApp, that could mean clogged networks and overloaded processors.
A somewhat better solution in terms of cost but less effective at obscuring correlations would be a random delivery delay to each group member. If the delay were close to truly random, it would be impossible to predict when a message might be forwarded and received. For WhatsApp, it seems an untenable solution because consumers have some expectation that their messages will be received soon after they are sent.
Because the WhatsApp message must pass through the WhatsApp servers, app usage is identifiable on both ends. Analysts can then use the IP addresses involved to learn the identity and—potentially—the location of each user. If the user is communicating via cellular device, the analyst can also acquire the device ID, telling them which cellular device sent or received the data. The end user can obscure that information by connecting through a virtual private network (“VPN”) or secure shell. However, that assumes the VPN service provider is itself not logging the connection. WhatsApp is not the only system vulnerable to these attacks, but at least they are paying attention.
Source: The Intercept
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login
