WhatsApp is broken, really broken

WhatsApp, the extremely popular instant messaging service for smartphones that delivers more than ~1billion messages per day has some serious security problems. I will try to give a detailed analysis on some of the issues.

Encryption

Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. When using WhatsApp in a public WiFi network, anybody was able to sniff incoming and outgoing messages (including file transfers). The company claims that the latest version of the software will encrypt messages – without giving any details on what cryptographic methods they are using (so it is safe to assume they did not do it the right way, using Public-key cryptography) . Update: their encryption is broken

WhatsApp still revealing users phone number after encryption update

However, the users mobile phone number is still being transferred in plaintext: 

Authentication

The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number:


$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS devices the password is generated from the devices WLAN MAC address:


$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

The username is the users mobile phone number – an attacker would probably already know the number.

The IMEI can be obtained if you have physical access to the phone or if you control an app installed on the users device. The WLAN MAC address can be found using a network sniffer. Congratulations, you can now take over a users WhatsApp account¹. But how? Well, some people have done a excellent job reverse engineering the WhatsApp protocol. There is a working PHP class available that contains everything needed to build your own WhatsApp client: https://github.com/venomous0x/WhatsAPI

Got a smartphone with WhatsApp installed? Try it out yourself using the URLs known from the reverse engineered API!

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password $countrycode = the country calling code $phonenumber = the users phone number (without the country calling code) $password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei)) / Note that the WhatsAPP UDID has nothing to with the Apple UDID - it is something completely different.

If you did everything right, the server will answer with a XML:+ expand source

Privacy

When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.

This is done like this:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4 $countrycode =  the country calling code $yournumber = while this SHOULD be your number, it is not required, the API will accept any number  $friendX = phone number (without the country calling code) from the address book that will be checked, u[] is an array so it is possible to check multiple numbers with one request

The server will answer with a XML document showing all numbers (hits) that were registered with WhatsApp, this will look something like this:+ expand source

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” (Update: JID ist the JabberID, thanks) and “NP” yet – if you have smart guess let me know. All this information is public.

Local database encryption

Since this requires physical access to the device or a full backup (in both cases you are screwed anyway) this is less interesting but still worth a note. In most cases it is possible to obtain the WhatsApp message history from an encrypted device or backup, for details read this paper: WhatsApp Database Encryption Project Report

Conclusion

Do not use WhatsApp. Really, dont.

¹ Actually, you can’t – it’s against the law. That being said: i did not hijack anybody’s WhatsApp account during this research and neither should you. This information is for educational purposes only.

Leave a Reply