Skip navigation
Criminal Legal News
CLN bookstore
× You have 2 more free articles available this month. Subscribe today.

WhatsApp’s Security Team Identifies Vulnerabilities

Loaded on Nov. 1, 2024 by Michael Thompson published in Criminal Legal News November, 2024, page 18
Filed under: Computer Searches. Location: United States of America.

by Michael Dean Thompson

Metadata is the data that describes data. If you make a phone call, metadata describes that call’s external characteristics: source number, destination number(s), how long the call lasted, etc. Although the metadata does not describe content, it still delivers enough information about a connection that a significant amount of additional information can be inferred. Former National Security Agency (“NSA”) chief Michael Hayden once quipped, “We kill people based on metadata.” The security team at WhatsApp issued an internal warning that their messaging tool may be vulnerable to metadata discovery via traffic analysis. Some 2 billion users may therefore be at risk.

Traffic analysis works when nation states or other powerful actors have access to some number of the endpoints (that is, the sources and destinations of traffic). When person A sends a message to person B, the state with access to monitor the endpoints may notice a discreet chunk of data being sent from A, through WhatsApp. B then receives the same sized packet from WhatsApp a short time later. They do not need to have access to WhatsApp for this analysis to work. And while a single communication may not be enough to do more than create a correlation, more such communications, especially when they are bidirectional, help to improve the confidence in the correlation.

In the case of group messages, the content of the communications becomes more vulnerable with each new correlation. When it comes to digital security, a group communication is only as strong as the least secure participant. However confident any given user in a group may be in their digital hygiene, a single rootkit that finds its way into one member of the group effectively gives up the entire group.

Traffic analysis occurs outside the scope of the users and the app. WhatsApp, therefore, cannot know when an entity is watching the endpoints, any of the traffic between them. There are solutions to network analysis, but they may not be appealing to the end users or to app providers like WhatsApp.

One solution for WhatsApp might be to send out messages without a valid sender or receiver. Those messages obscure the valid messages, but they come at a price to both the sending and receiving processes in terms of data and processor usage, as well as battery life for portable devices. It helps to slow down the correlations because the participants receive random messages from the app provider that the app ignores. Likewise, the app sends messages the WhatsApp servers ignore. Because the fake message must appear valid to an external analyst, both ends must decrypt the message to know it is fake. For a service as large as WhatsApp, that could mean clogged networks and overloaded processors.

A somewhat better solution in terms of cost but less effective at obscuring correlations would be a random delivery delay to each group member. If the delay were close to truly random, it would be impossible to predict when a message might be forwarded and received. For WhatsApp, it seems an untenable solution because consumers have some expectation that their messages will be received soon after they are sent.

Because the WhatsApp message must pass through the WhatsApp servers, app usage is identifiable on both ends. Analysts can then use the IP addresses involved to learn the identity and—potentially—the location of each user. If the user is communicating via cellular device, the analyst can also acquire the device ID, telling them which cellular device sent or received the data. The end user can obscure that information by connecting through a virtual private network (“VPN”) or secure shell. However, that assumes the VPN service provider is itself not logging the connection. WhatsApp is not the only system vulnerable to these attacks, but at least they are paying attention.   

Source: The Intercept

As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

More from this issue:

  1. SCOTUS Announces Confrontation Clause Prohibits Expert Witness From Testifying About Non-­Testifying Expert’s Statements Regarding Forensic Testing Performed by Non-­Testifying Expert in Support of Testifying Expert’s Opinion Testimony at Trial, by Sam Rutherford
  2. NIJ Partners With Doctor to Develop Better Screening Method to Detect and Identify Drugs Postmortem, by Douglas Ankney
  3. Broken Trust The Pervasive Role of Deceit in American Policing, by Andrew Eichen
  4. WhatsApp’s Security Team Identifies Vulnerabilities, by Michael Thompson
  5. University of Maryland Carey Law Pioneers Forensic Defense Clinic
  6. Seventh Circuit Announces Search of Cellphone at Border Constitutes Routine Inspection and Does Not Require Warrant, Probable Cause, or Even Individualized Suspicion, by Sam Rutherford
  7. Delaware Supreme Court: Counsel Ineffective for Failing to Challenge Search of Cellphone Where Consent Was Ambiguous and Warrant Constituted a General Warrant, by Sam Rutherford
  8. Barrier-­Crime Laws Continue to Unjustly Prohibit Otherwise Qualified Persons With Prior Convictions From Employment, by Douglas Ankney
  9. Cops Hide Behind Encrypted Radio, by Michael Thompson
  10. Ninth Circuit Denies Habeas Relief to Prisoner Who Invoked Fifth Amendment Right to Counsel During Custodial Interrogation but Made Incriminating Statements to Undercover Informant Posing as Fellow Prisoner Because Right to Counsel Not Violated, by Sam Rutherford
  11. Overthrowing the Constitution: All Sides Are Waging War on Our Freedoms, by Nisha Whitehead, John W. Whitehead
  12. California Court of Appeal: Wearing Puffy Jacket on Hot and Humid Night Does Not Constitute Reasonable Suspicion of Criminal Activity, by Anthony Accurso
  13. Ninth Circuit Announces California Carjacking Conviction Not Categorically ‘Crime of Violence’ Under Immigration Law for Removal Purposes, by Sam Rutherford
  14. SCOTUS Clarifies Prejudice Standard Under Strickland for Ineffective Assistance of Counsel Claims at Capital Sentencing, by Sam Rutherford
  15. Oregon Supreme Court Further Clarifies ‘Guilty Except for Insanity’ Defense, by Sam Rutherford
  16. Wisconsin District Attorneys’ Police Brady Lists Often Secret, Incomplete, or Nonexistent, by Matthew Clarke
  17. Georgia Supreme Court: Discovery of Common Law Wife’s Infidelity Entitled Defendant to Voluntary Manslaughter Instruction in Malice Murder Prosecution, by Sam Rutherford
  18. Arizona Supreme Court Allows Third PCR Motion Based on IAC for Erroneous Advice About Parole Eligibility Due to ‘Pervasive Confusion’ Regarding Parole Within Legal Community, by Anthony Accurso
  19. Chicago PD Continues Racial Profiling While Underreporting Incidents of Traffic Stops, by Jo Ellen Nott
  20. Wisconsin Supreme Court: Officer Violated Fourth Amendment by Exceeding Scope of Community Caretaking Function During Traffic Stop, by Sam Rutherford
  21. Seventh Circuit Holds Sentencing Guidelines Commentary Still Entitled to Deference, by Sam Rutherford
  22. ICE’s Deadly Force Problem: A Culture of Impunity, by Jo Ellen Nott
  23. News In Brief
  24. A New Approach to Drug Testing: Electrochemical Sensors and Raman Spectroscopy, by Jo Ellen Nott

More from Michael Thompson:

More from these topics:

 

 

Prisoner Education Guide side
Advertise here
Disciplinary Self-Help Litigation Manual - Side