Maikel.pro/blog/

information security & privacy tips

Messaging apps and SMS: How "secure" platforms rely on insecure authentication

Lately a lot of messaging apps advertise themself as secure platforms with e2e-encryption which act like all conversations with your friends are invisible to intelligence services, but this security/privacy guarantee might be weaker than you think. A lot of these apps still use your phone number as a way of authentication (SMS-authentication), which has its limitations in terms of security if not used correctly.

Note: This article is meant for Intelligent Services targeting specific activists, and not the mass-surveillance most people instantly think about. The information in this article is not ground breaking, but just a summary of the usage of messaging apps and flaws in them.

Why SMS-authentication?

Services such as Telegram and WhatsApp make use of your phone number as unique identifier. The primary reason for this, is the fact that the stored contacts in your phone, probably all have at least a phone number stored. This way, it will be very easy to contact those persons without other obstructions (such as exchanging usernames). To verify that you actually own the phone number (and not just spoof some random number), you need to authenticate yourself as the owner of the phone number, by entering a PIN into the app that you received via SMS.

Another reason to use SMS is the fact that owning a phone number costs more effort than just creating a new account (either in money or requesting a new number). Malicious users / spammers on messaging apps is a serious threat and disruption for the user experience, which is vital for the existence of the service. Especially WhatsApp seems to be taking spam abuse very seriously on their service, banning malicious clients within 0-12 hours if they start showing malicious intent (without even sending messages).

Telegram: flawed authentication without 2FA

Telegram advertises itself as a "secure" messaging app, but provides both "secure" (encrypted, but flawed as proven many times (Rad, A.)) or normal chats. All conversations and contacts are stored on the servers of telegram. This way you can use different applications (such as Web/Windows/Mobile) without having your phone on. The thing is that you authenticate yourself with only a SMS on the web client. This authentication flaw is posing a serious threat from Advanced Persistent Threats as seen in Iran and Russia. Intelligence Services can easily setup their own base stations to capture SMS traffic, or require the ISP to filter out certain SMS messages without the user ever knowing. This way they can authenticate themself as an owner of one of the phone numbers and simply pull all normal conversations history out of Telegram (with the exception of the secured chats which require the key).

This authentication attack can be fully automated, but so far only single user attacks were reported.

By default Telegram will notify you of a new login, but the moment you receive this message it will be already to late. To prevent this from happening you should really enable 2FA to be sure. It has been proven that Intelligence Services in Iran and Russia already abused this to shutdown communication channels of activists and basically censor them.

WhatsApp: SMS re-activation and e2e encryption

WhatsApp does not rely that much on phone number authentication as Telegram does. It's only used the first time to check if you are the owner of the phone number. After this WhatsApp will share a secret key with you to use the next time you login on WhatsApp. WhatsApp does not store messages after they are delivered, rendering the attack surface quite more limited than Telegram.

But this does not take away that there is no attack surface. On WhatsApp you can re-activate your account (eg. if you switch phones), by following the same process again: send a registration request to WhatsApp, enter SMS and store the secret key on your phone. After this registration the old secret key is invalid and cannot be used any longer to login. Once the newly registered client is finished registering, it uploads 200 prekeys for other clients to use e2e encryption with you (mgp25, 2016).

As noted before, Intelligence Services can basically actively Man-in-middle all SMS and voice traffic of a certain phone number. This means that they can -with ease- re-activate any WhatsApp account without you even knowing (assuming they cut off SMS/internet of your mobile phone, look for example at Brazil where WhatsApp is blocked for 3 days). During this time, the agent can retrieve messages intended for the user, fully e2e encrypted (but encrypted with keys of the agent, because WhatsApp switches keys without notifying anyone[1], see example below) of the user that was supposedly safe by MitM attacks. The user that has its account taken over doesn't know a thing until WhatsApp is no longer blocked, and he will be presented with a re-activation screen (as seen below):

[1]: It seems there is an option to enable notifications about this, but it's disabled by default. Note that enabling this option will still trigger the re-encryption with the new key.

Note that e2e encryption does not help here. Imagine the following scenario: Alice sends a message to Bob with the key initially created by Bob. WhatsApp will try to deliver the message, but notices that they keys doesn't match anymore. Alice's client will automatically use the new key (that Eve uploaded after taking over Bobs account), and now Eve can read the message that was intended for Bob. Alice can however notice this if she looks at the key, but she is by default not notified about a key change.

Hostile account takeover in practice

I tested for myself what the WhatsApp client will do once a key changes. Here is a real life example between Alice (a normal user), Bob (a normal user that gets his account taken over by an Advanced Threat) and Eve (The evil Agent that wants to know who is communicating with Bob and about what).

It first starts with a normal conversation between Alice and Bob:

And a view from Alice's side:

Okay, e2e encryption seems to be working fine (keys match). But now Eve starts interfering: He requests a new secret from WhatsApp for Bob's phone number and intercepts the SMS to retrieve the WhatsApp secret themself. After this Eve logs in WhatsApp and waites for anyone to send a message to Bob. Here you see Alice trying to send a message to Bob:

As you can see the keys are still correct, but once the single check changes in two checks the key changes. In the background the message was encrypted for Bob, but WhatsApp refused the delivery because the key changed. The client changed the key, re-encrypted the message and gave it to WhatsApp again. If Alice enabled the notification option about a key change, she would be too late to revoke the message. WhatsApp already re-encrypted the message and sent it to Eve.

Now Eve received the message and now knows who is talking to Bob (yes it's e2e encrypted, but not with the person Alice intended):

As you can see the key changed to the key of Eve without any kind of notification (unless you enable the notify on key change option in account -> security -> enable security notifications). Once Eve releases the communication ban of Bob and bob tries to open WhatsApp he will be presented with the following message:

With the result of contact information and incoming messages that were not yet delivered being captured by an Advanced Persistent Threat. This example involved the official client, but there are third party APIs available to automate this completely. The impact is relatively small compared to Telegram (where you can access all contacts and chat history), but this might still be abused by governments that want to censor on WhatsApp. Once in control of the account, they might also choose to shut down groups or send misleading information.

Security vs User Experience

If you look at the current state of these messaging apps, it all comes down to security versus user experience. Yes, it would be safer to be able to use pseudonym usernames with passwords instead of very easy identifiable phone numbers with SMS authentication, but it would break the accessibility for the masses. The whole idea of a "good" messaging app is based on the accessibility for all people to make communication easier. Fortunately the usage of security and user experience friendly techniques is growing (otherwise e2e encryption would probably not have been implemented yet), but it also requires education to the users to properly verify correctness. For example checking the keys should be a must to make sure you are correctly communicating. You need to make sure you enable the notification on key change in WhatsApp. If you consider yourself an activist you also must realize that you cannot trust the phone infrastructure, because it will most likely be in control of Intelligence Services.

If you want to use WhatsApp and be sure you talk to the correct person, make sure you at least once verify the keys in person, and enable the "notify on key change" option under account -> security -> enable security notifications. For Telegram you should really activate 2FA to make sure that you don't wake up with an unknown login sometime in the future.

Sources

Jacobs, F. (2016, 14 January). On SMS logins: an example from Telegram in Iran. Retrieved from BrainOverfl0w: https://www.fredericjacobs.com/blog/2016/01/14/sms-login/

mgp25 (pseudonym). (2016, 20 April). Private e-mail conversation.

Rad, A. (2016, 9 January). A 264 Attack On Telegram, And Why A Super Villain Doesn't Need It To Read Your Telegram Chats. Retrieved from alexrad: http://www.alexrad.me/discourse/a-264-attack-on-telegram-and-why-a-super-villain-doesnt-need-it-to-read-your-telegram-chats.html

Maikel Zweerink

Read more posts by this author.

Gelderland, The Netherlands
Load comments (Disqus)