Whatsapp hacking vector analysis and security : (#isoeh) Even after 3 time security change, whatsapp is still prone to getting hacked! Key facts: ~WhatsApp prior to August 2012 lacked encryption in their messages! ~Everything was sent in plaintext which could be easily intercepted and read. ~WhatsApp on Wi-Fi, allowed hackers to intercept the airwaves and read what you were sending and receiving. ~WhatsAppSniffer was designed to be able to intercept these messages easily. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~1st security change... (failure)~ WhatsApp implemented encryption by using your IMEI number or your MAC address as a basis for their cryptographic keys. This was not appreciable since mac and imei can be easily deciphered.. __________________________________________ ~Game masquerading as sniffer~ An app game (Ballon Pop2) was recently in the news which secretly stole WhatsApp conversations once installed in phone BalloonPop2 was originally offered in Google Play, but was taken down recently for obvious security concerns. A screenshot of the game is given below. Please be beware of this game! _________________________________________ ~Attack vector~ ->||The app was 100% a game ,but in stealth it was for hacking the phone. ->||Once executed, It gains access to a phone’s WhatsApp account and the serial number of the SIM card, then copies the folder containing profile pictures. ->||Conversations gets uploaded to the developer’s Whatsapp Copy website, whereby using the cell phone number of any individual with this app installed, others can download their conversations for a small charge. Even post removal from google play , this game is still available for download (gamesapk.net/balloon_burst.apk_for_android.html#.U_7TRMWSyNA) DONT DOWNLOAD THOUGH!!! _____________________________________________________ ~Security changes rolled out and proposed ~“ 1) Secure encryption to the client If an attacker intercepts the messages at WhatsApp’s server,results wont be obtained. 2)Anonymity to the conversation Introduction of fake/anonymous accounts and intermediate communication nodes are introduced to ensure no direct communication between the mobile phone and the server takes place. 3)Modifying routing of all traffic and messages to XMPP server. Post routing, the original WhatsApp servers will be only as dummy to send fake data. _____________________________________________________ Using of custom encryption algorithm will be added. Then the plaintext messages will be sent to the XMPP server. Format: Data: < recipient > ? < whatsapp_message_ id > ? < message > . ~Working method:~ The program replaces every character in the original text with wildcard characters Result: ~Original message never passes through WhatsApp’s servers. ~Recipient receives a message full of wildcard characters, queries the XMPP server, and replaces it with the original text This implementation proposed by researchers will make whatsapp hacking almost extinct and impossible. by- Samrat Das facebook/dkdmd18
Posted on: Mon, 01 Sep 2014 16:13:40 +0000
Trending Topics
Recently Viewed Topics
© 2015