La Piazza

Following the information we already commented in the article WhatsApp is unsafe. Truth or myth?, and taking into account the comments you made, we want to share with you a new entry.

WhatApp has always been reluctant to release a public API and encourage developers to create applications based on its platform. This has led some people, by means of reverse-engineer, to get to know how WhatsApp works internally.

Thanks to the reverse engineer work, an alternative known as WhatsAPI was published  to use WhatsApp from programming languages like PHP and Python, thus opening the door to web applications.

If we add this information to the formerly mentioned weakness of the encryption key, we face the troubling situation that it is even easier now, if anything, to impersonate someone in WhatApp: we only need to know the IMEI of the phone (in the Android devices), or the MAC of the network card (for IOS devices). There are already websites which offer to non-technical users the ability to impersonate a user in WhatApp: you only need to know the MAC or IMEI of the phone you want to impersonate.

• To know the IMEI of a phone you need to have physical access to it but if we do, in a few seconds and entering a key combination (* # 06 # to Android devices), the IMEI will be displayed.
• On the other hand, to know the MAC of an IOS device, you only need to capture the traffic while being connected to the same network of the phone to replace, for example, a public Wi-Fi network.

Let us reformulate our safety recommendations, then:

• Never lose sight of your phone, or leave it accessible to strangers.
• Avoid using this application when connected to public Wi-Fi networks (airports, coffee shops, etc.). You never know who may be listening.
• Apply basic security measures to your own Wi-Fi network. This way, you will prevent other users from connecting to it without your consent.
  
  Note: check your router user guide for more information to know how to implement the following recommendations, as they may vary depending on the manufacturer:
  • Change the default password that gives access to your router or Wi-FI access point
  • Increase the security of transmitted data, enabling WPA/WPA2 encryption
  • Enable MAC address filtering

WhatsApp is no longer yet another instant messaging application, but is becoming a true social phenomenon. It is used by all kinds of users and it handles two billion messages per day.

WhatsApp

In fact, it may even lead to social exclusion, as the people who do not use it become ‘expensive’ friends in the eyes of others and might see how the number of calls and messages received from friends is drastically reduced.

Leaving aside these questions, today most smartphone users use WhatsApp and, despite its tremendous popularity, security experts have brought to light other not-so-good aspects of the app, mainly the level of communication security provided by it.

Until recently, messages sent through the WhatsApp service were not encrypted. Thus, it was fairly simple to see the messages sent by other users as long as you were connected to the same network as them (for example, a public Wi-Fi network). To fix this, at the end of August a new version of WhatsApp was released which included message encryption to assure the user’s communication privacy.

However, it has been demonstrated that the encryption used is not robust enough so it is still possible to intercept communications even with this new version.

The problem stems from the fact that the encryption key used by WhatsApp for Android is a MD5 hash of the phone’s IMEI number in reverse format; that is, if you calculate your phone’s IMEI number MD5 hash and write it from right to left instead of from left to right, you’ll obtain the encryption key used by WhatsApp, and therefore will be able to decrypt the messages sent through the service. Additionally, on IOS devices (iPad/iPhone), WhatsApp creates its encryption key simply by doubling the Wi-Fi interface’s MAC address and generating an MD5 hash from it. Many voices claim that WhatsApp is insecure but, how risky is it really?

For a user to be able to intercept and decrypt the messages you send via WhatsApp, the following conditions must be met:

• They must be connected to the same Wi-Fi network as you. For example, a public Wi-Fi network.
• They must know your phone’s IMEI number (which is not easy).
• They should have sufficient computer knowledge as to be able to capture network traffic, calculate the MD5 hash of your IMEI number and decrypt the messages.

Once you know the risks, you just have to take some basic security measures to continue using the app without compromising your privacy:

• Avoid using WhatsApp on public Wi-Fi networks (airports, cafés, etc.). You never know who may be listening.
• Use certain basic security measures with your own Wi-Fi network. This way, you will prevent other users from connecting to it without your consent.

Note: Refer to your router user guide for more information on how to apply the following recommendations as instructions may vary between router manufacturers:

• Change the default password of your router or Wi-Fi access point.
• Secure data transmission, enabling WPA/WPA2 encryption.
• Enable MAC address filtering.

Published by Jose Manuel Bernal, 27/04/2012

This morning, after I started up the PC, I was confronted with the following full-screen window covering the entire desktop:

Without paying much attention to it I instinctively pressed ESC and other key combinations like ALT+F4 to try and close it, but the message had locked the computer rendering it effectively unusable.

The message pretends to come from Spain’s local authorities and claims illegal activity has been detected on my computer. More specifically, the message claims that forbidden websites containing pornography have been visited from my IP address and demands a fine is paid to let me back in. The text, loosely translated, reads:

“Illegal activity has been detected on your computer. According to Spanish law your computer is locked. Forbidden websites containing pornography, child pornography, bestiality, etc. were visited from this IP address. This locking serves to stop your illegal activity.”

This is actually a new variant of the infamous Police Virus called Trj/Ransom.ab, which belongs to a malware category called ransomware. The aim of the people spreading this malware is to intimidate and blackmail users whose PCs are infected and persuade them to pay for having the malware removed. The scam is similar to that of rogueware or fake antivirus software, which we have covered in post The nightmare of fake antivirus continue. Protect yourself with Panda, only this time the perpetrator tries to pass themselves off as a law enforcement agency instead of as an antivirus vendor.  Well,  here are the Instructions to remove the Police Virus Trj/Ransom.ab.

Finally, we’d like to remind you of these simple tips that will help you protect yourselves from this type of malware.

1. Use your common sense. No governmental organization can block access to your computer. Under no circumstance pay the so-called ‘fine’.
2. Install a good antivirus. Check out our recommendations in the following post: Protect your banking data with Panda Security’s new 2012 products. Protect your computer at all times and avoid nasty surprises.
3. Keep your operating system up-to-date with the latest security patches.
4. Never open an email from an unfamiliar sender. Beware of messages with eye-catching subject lines, they are more likely to carry a virus.
5. Avoid surfing to non-secure Web pages. In some cases, it is enough to visit a compromised website to get infected without knowing. If, however, you need to access a dubious website, do so from a malware-free environment like that offered by Panda SafeBrowser.

Stay safe!