Malicious Threats, Vulnerabilities, and Defenses in WhatsApp and Mobile Instant Messaging Platforms

Presented at ShmooCon X (2014), Jan. 18, 2014, 11 a.m. (60 minutes)

Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp.

WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information.

We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.

Presenters:

• Jaime Sánchez   as Jaime Sanchez
  Jaime Sanchez (@segofensiva) is passionate about computer security that has worked for over 13 years as a specialist advisor for large national and international companies. He holds a Computer Engineering degree and also Executive MBA, as well as holding several certifications like CISA, CISM, CISSP, just to name a few.
• Pablo San Emeterio
  He is a frequent speaker introducing new bugs, exploitation techniques and mitigation, as in RootedCON, Nuit du Hack, Black Hat Arsenal USA 2013, Defcon 21, DeepSec or BlackHat Sao Paulo. He also writes a blog called SeguridadOfensiva (www.seguridadofensiva.com), touching on current topics in the field of hacking and security.

Similar Presentations:

• 33C3 (2016) / A look into the Mobile Messaging Black Box: A gentle introduction to mobile messaging and subsequent analysis of the Threema protocol.
• Black Hat USA 2019 / Reverse Engineering WhatsApp Encryption for Chat Manipulation and More
• Black Hat USA 2019 / Messaging Layer Security: Towards a New Era of Secure Group Messaging