Researchers Decrypt a WhatsApp Call (But Don’t Worry About It)
Researchers from Brno University of Technology in the Czech Republic and the University of New Haven have published a paper describing their successful decryption of a WhatsApp call on an Android phone. The researchers were able to successfully decrypt the network traffic used by WhatsApp and obtain forensic artifacts such as a user’s WhatsApp phone number, the date and time stamps of calls and the call duration, as well as some of the inner workings of the app such as the codecs it uses and the IP addresses of its servers.
These findings were not reported to scare WhatsApp users or to reveal that WhatsApp collects your data but to fill a knowledge gap with regards to the application’s calling feature. As the researchers state, “WhatsApp is a widely adopted mobile messaging application with over 800 million users. Recently, a calling feature was added to the application and no comprehensive digital forensic analysis has been performed with regards to this feature at the time of writing this paper.”
The encryption policies of messaging apps are typically not discussed until a major vulnerability has been revealed or a data breach has occurred. The form of decryption presented in this research is sometimes presented in the same fear mongering or finger wagging tone as reports of such a breach but that is a misleading characterization. For one thing, this research was performed using an Android phone that was already compromised for research purposes and the work was presented in the spirit of knowledge sharing, as a way to encourage other researchers to perform similar analysis and potentially strengthen the security of the applications being studied.
Researchers analyzed WhatsApp using the following steps:
- To obtain the password, there are multiple options based on the mobile device being used (WHAnonymous, 2015b). As we were using an already rooted Android phone, the easiest way was to extract the password using the Password Extractor application.
- To force WhatsApp to establish a full handshake the next time the mobile device connected to the server, it was necessary to break the synchronization between the WhatsApp client and the server. The simplest way for doing that was to connect using a different client. For that purpose, we used the IM client Pidgin alongside the WhatsApp plugin.
- To decrypt the WhatsApp connection between the client and server, we used Wireshark and a WhatsApp-specific dissector.
- To visualize the WhatsApp protocol message exchange we created a command-line tool described in Section Tool for visualizing WhatsApp protocol messages.
As WhatsApp may eventually accommodate a billion users, its security and privacy protocols will fall under greater scrutiny by both altruistic researchers and cybercriminals. The researchers conclude their paper stating that they “encourage other researchers to apply the techniques explained in our work to analyze the network traffic of other popular messaging applications.”