Forbes staff reporter Thomas Fox-Brewster has an article (mirror here for those who won't turn off their ad blockers) reporting that Haifa-based spy tech company Wintego allegedly has the capability to break WhatsApp's encryption. From the article:
An Israeli company is marketing what appears to be an astonishing surveillance capability, claiming it can siphon off all WhatsApp chats, including encrypted communications, from phones within close proximity of a hidden Wi-Fi hacking device in a backpack.
Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an "unprecedented capability" to break through WhatsApp encryption and grab everything from a target's account. It does so through a "man-in-the-middle" (MITM) attack; in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software's cryptography.
According to the anonymous source who handed FORBES the documents, the product works on the most current versions of WhatsApp, noting the brochures were handed out at a policing event this year. They could not offer any proof of that claim, however, and the files may date from before WhatsApp added significantly stronger end-to-end encryption.
Related Stories
Israeli firm linked to WhatsApp spyware attack faces lawsuit
The Israeli firm linked to this week's WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.
The human rights group's concerns are detailed in a lawsuit filed in Israel by about 50 members and supporters of Amnesty International Israel and others from the human rights community. It has called on the country's ministry of defence to ban the export of NSO's Pegasus software, which can covertly take control of a mobile phone, copy its data and turn on the microphone for surveillance.
An affidavit from Amnesty is at the heart of the case, and concludes that "staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled" after a hacking attempt last year.
NSO Group, founded in 2010, supplies industry-leading surveillance software to governments that it says is for tackling terrorism and serious crime, and has been licensed to dozens of countries including Saudi Arabia, Mexico, Bahrain and the UAE.
But there have been a string of complaints in the past few months, documented largely by the Toronto-based Citizen Lab, that the technology has been used to target human rights groups, activists and journalists by several countries – and that there has been no attempt to rein it in.
See also: After WhatsApp hack, NSO faces scrutiny from Facebook and UK public pension fund
WhatsApp's security breach: Made in Israel, implemented worldwide
WhatsApp Rushes to Fix Security Flaw Exposed in Hacking of Lawyer's Phone
Previously: A WhatsApp Call Can Hack a Phone: Zero-Day Exploit Infects Mobiles with Spyware
Related: Israeli Spy Tech Company Allegedly Cracks WhatsApp Encryption (2016)
Former NSO Employee Arrested After Attempting to Sell Spyware for $50 Million
Agents Target Researchers who Reported Software that Spied on Jamal Khashoggi before his Death
(Score: 5, Interesting) by stormwyrm on Thursday October 06 2016, @02:14PM
I'd have added this to the summary but I think it'd be more appropriate to comment instead. Something doesn't seem right here. The encryption used by WhatsApp is very highly regarded, supposedly it's based on the open source Textsecure system and provides full end to end encryption such that not even Whatsapp/Facebook themselves would be able to read your messages. The existence of back doors in the code is possible though I rate it as unlikely because many security researchers and their competitors might have already tried to reverse engineer it and they'd probably have found evidence of a back door by now if it existed. Proof of the existence of such a mechanism would have been a big PR win for whoever did it and would embarrass Whatsapp/Facebook greatly since they made it such a big selling point.
So I think that Wintego's probably got something like a WiFi Pineapple [wifipineapple.com] inside that backpack judging from some of the statements in TFA, which would be the first step in attempting a MITM. The brochure says: "Using the WINT interface, the system operator activates CatchApp on the target 's device. The CatchApp solution can be activated on virtually all mobile phones running Android 4.0 or later and iPhones running iOS 7.0 or later." Doesn't look like they're doing a classical MITM attack (which would require forgery of any certificates Whatsapp might be using), but using the Wi-Fi to install an implant on the target's device. They've probably loaded their pack with a bunch of Android and iOS 0-days that allow them to install such implants to just about any device that connects to their rogue Wi-Fi. That would let them access everything on the phone, including any and all data that the the Whatsapp installation stored on the phone, which I think is saved unencrypted.
Numquam ponenda est pluralitas sine necessitate.
(Score: 3, Interesting) by PizzaRollPlinkett on Thursday October 06 2016, @02:32PM
Besides, what's this "allegedly" stuff, anyway? They either broke the encryption or they did not. There is no middle ground. If it's broken, they can prove that by releasing the source code or techniques that broke it. So, it won't be right unless they can prove their claims. BTW, I broke SSL yesterday and have been reading every financial transaction on the Internet, and I also broke into all the nuclear reactors on the planet, and after lunch I broke all disk encryption on all operating systems. I had a busy day. But I'm not going to tell you what I did or how I did it.
(E-mail me if you want a pizza roll!)
(Score: 2) by opinionated_science on Thursday October 06 2016, @02:41PM
agreed. Sounds like it could be a sales pitch - especially since Whatsapp uses the Signal code... Though, if it's windows surely this is redundant? - it's likely M$ baked in backdoors to meet the $NSL printer spool......
Not saying it *cant* be cracked, but extraordinary claims....
As a penguinista , I'm still waiting for the CPU microcode exploit that get's us all....
(Score: 0) by Anonymous Coward on Thursday October 06 2016, @05:27PM
BTW, I broke SSL yesterday and have been reading every financial transaction on the Internet, and I also broke into all the nuclear reactors on the planet, and after lunch I broke all disk encryption on all operating systems.
Can I get some cash or plutonium instead of a pizza roll? I'll settle for unlimited cloud storage capability for alls my torrentz!
(Score: 1) by toph on Thursday October 06 2016, @05:46PM
If you really did brake SSL yesterday and have been reading every financial transaction on the Internet, then the last thing you'd want to do is tell people about it. You'd instead take every and all advantage of your capability to become filthy rich.
(Score: 2) by PizzaRollPlinkett on Thursday October 06 2016, @07:34PM
I've got a lot of what it takes to get along after last night. After draining Bill Gates' bank accounts, I quit. I don't want to get greedy.
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Thursday October 06 2016, @06:39PM
BTW, I broke SSL yesterday and have been reading every financial transaction on the Internet
Cool. Where are Trump's tax returns, then?
(Score: 1, Insightful) by Anonymous Coward on Thursday October 06 2016, @07:15PM
> If it's broken, they can prove that by releasing the source code or techniques that broke it.
If they released it, they would cease to be able to monetize it. They presumably want money, not fame; they're a corporation, not an actor.
(Score: 2, Insightful) by Anonymous Coward on Thursday October 06 2016, @08:27PM
My take is it could be a government trying to discourage use of something they can't break. What better way to get someone to look for other options than cast doubt on something that is secure.
The terrorists have been using whatsapp and certain 3 letter agencies might have a desire to get them to try something else. If it works....bravo!
(Score: 2) by stormwyrm on Friday October 07 2016, @12:17AM
They are only under obligation to prove their claims to their customers, not to the world. Doing that would be like the Allies announcing to the Germans that they've cracked Enigma. They're not Whatsapp's competitors or white hat security researchers (they are obviously black hats: that they do this work at the behest of governments and law enforcements is not relevant) and would rather people continue using a platform they have the ability allow their customers to exploit. Hence their efforts to keep this capability secret, but they still have to tell their prospective customers, apparently this was a leak at a "policing event" (this sounds like a law enforcement trade show). The knowledge that you have the ability to break a cryptosystem is frequently far more valuable than any intelligence you can get from breaking it.
As I have said if this is real they are most likely exploiting platform vulnerabilities, or alternatively might have found a 0-day in the current version of Whatsapp itself. If that counts as breaking the encryption, then they've broken the encryption. If this isn't real then it might perhaps be a ploy to get people to stop using it in favour of some other system that they can break.
Numquam ponenda est pluralitas sine necessitate.
(Score: 4, Funny) by BK on Thursday October 06 2016, @03:21PM
These criminals claim to have circumvented the technical protection measures of copyrighted works (messages). We have a public confession! How is it that they aren't being hauled into a PMITA prison?
*blink*
...but you HAVE heard of me.
(Score: 2) by bob_super on Thursday October 06 2016, @04:18PM
Israeli hackers are immune from DMCA claims, because they're the good guys.
(Score: 3, Informative) by Nerdfest on Thursday October 06 2016, @04:57PM
They're also not in the US ... they're in Israel. Admittedly though, that hasn't stopped US media companies in all cases in the past.
(Score: 2, Interesting) by Anonymous Coward on Thursday October 06 2016, @07:55PM
Loosely translated*, Israel's fair use clause explicitly allows self-study, research, criticism, survey, journalistic report, citations and inclusion as part of an institution's curriculum.
Moreover, there are some mandatory minimal criteria for evaluation when determining if a usage is fair or not:
1. Purpose and method of usage.
2. The nature of the work itself.
3. Quantitative and qualitative aspects.
4. Affects \ effects of the usage on the work's potential value.
Note the lack of "potential lost revenues" doctrine: If you've pirated a copy of a music CD or some software that otherwise sold in the millions, beyond court expenses and a fine, the copyright holder won't be rewarded even with the value of the product unless the court sees a good reason to do so.
Also, it's up to the copyright owner to prove the violation was not in fair usage. That is, you can't just DMCA someone because they downloaded something since in Israel, the default is fair usage unless shown in court to be otherwise.
Effectively, unless you're a business pirating commercial products, Israeli court don't care.
* https://he.wikipedia.org/wiki/%D7%A9%D7%99%D7%9E%D7%95%D7%A9_%D7%94%D7%95%D7%92%D7%9F#.D7.94.D7.92.D7.93.D7.A8.D7.AA_.22.D7.A9.D7.99.D7.9E.D7.95.D7.A9_.D7.94.D7.95.D7.92.D7.9F.22_.D7.91.D7.99.D7.A9.D7.A8.D7.90.D7.9C [wikipedia.org]
(Score: 3, Insightful) by PinkyGigglebrain on Friday October 07 2016, @12:14AM
They're also not in the US ..."
When has that ever stopped the USA?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 0) by Anonymous Coward on Friday October 07 2016, @01:38AM
Snowden and Assange would be toast if they'd leaked music or movies.
(Score: 0) by Anonymous Coward on Thursday October 06 2016, @06:11PM
Probably a flawed implementation, as always, but I'd like to hear MM's thoughts.
Source for it using Signal:
https://whispersystems.org/blog/whatsapp-complete/ [whispersystems.org]