8/24/2020

Group Instant Messaging: Why Blaming Developers Is Not Fair But Enhancing The Protocols Would Be Appropriate

After presenting our work at Real World Crypto 2018 [1] and seeing the enormous press coverage, we want to get two things straight: 1. Most described weaknesses are only exploitable by the malicious server or by knowing a large secret number and thereby the protocols are still very secure (what we wrote in the paper but some newspapers did not adopt) and 2. we see ways to enhance the WhatsApp protocol without breaking its features.


We are of course very happy that our research reached so many people and even though IT security and cryptography are often hard to understand for outsiders, Andy Greenberg [2], Patrick Beuth [3] and other journalists [4,5,6,7,8] wrote articles that were understandable on the one hand and very accurate and precise on the other hand. In contrast to this, we also saw some inaccurate articles [9,10] that fanned fear and greatly diverged in their description from what we wrote in our paper. We expected this from the boulevard press in Germany and therefore asked them to stick to the facts when they were contacting us. But none of the worst two articles' [9,10] authors contacted us in advance. Since our aim was never to blame any application or protocol but rather we wanted to encourage the developers to enhance the protocols, it contradicts our aim that WhatsApp and Signal are partially declared attackable by "anyone" "easily" [9,10].

Against this background, we understand Moxie's vexation about certain headlines that were on the Internet in the last days [11]. However, we believe that the ones who understand the weaknesses, comprehend that only the malicious server can detectably make use of them (in WhatsApp) or the secret group ID needs to be obtained from a member (in Signal). As such, we want to make clear that our paper does not primarily focus on the description of weaknesses but presents a new approach for analyzing and evaluating the security of group instant messaging protocols. Further we propose measures to enhance the analyzed protocols. The description of the protocols' weaknesses is only one part of the evaluation of our analysis approach and thereby of the investigation of real world protocols. This is the scientific contribution of our paper. The practical contribution of the analyzed messengers, which is the communication confidentiality for billion users (in most cases), is great and should be noted. Therefore we believe that being Signal, WhatsApp, or Threema by applying encryption to all messages and consequently risking research with negative results is much better than being a messenger that does not encrypt group messages end-to-end at all. We do not want to blame messengers that are far less secure (read Moxie's post [11] if you are interested).

Finally we want note that applying security measures according to the ticket approach (as we call it in the paper [12]) to the invitation links would solve the issues that Facebook's security head mentioned in his reply [13] on our findings. To our knowledge, adding authenticity to group update messages would not affect invitation links: If no invitation link was generated for a group, group members should only accept joining users if they were added by an authentic group update message. As soon as a group invitation link was generated, all joining users would need to be accepted as new group members with the current design. However there are plenty ways how WhatsApp could use invitation links without endowing the server with the power to manage groups without the group admins' permission:
One approach would be generating the invitation links secretly and sharing them without the knowledge of the server. An invitation link could then contain a secret ticket for the group and the ID of the group. As soon as a user, who received the link, wants to join the group, she can request the server with the group ID to obtain all current group members. The secret ticket can now be sent to all existing group members encrypted such that the legitimate join can be verified.

Of course this would require engineering but the capability of WhatsApp, shipping drastic protocol updates, can be assumed since they applied end-to-end encryption in the first place.

[1] https://www.youtube.com/watch?v=i5i38WlHfds
[2] https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats/
[3] http://www.spiegel.de/netzwelt/apps/whatsapp-gruppenchats-schwachstelle-im-verschluesselungs-protokoll-a-1187338.html
[4] http://www.sueddeutsche.de/digital/it-sicherheit-wie-fremde-sich-in-whatsapp-gruppenchats-einladen-koennen-1.3821656
[5] https://techcrunch.com/2018/01/10/security-researchers-flag-invite-bug-in-whatsapp-group-chats/
[6] http://www.telegraph.co.uk/technology/2018/01/10/whatsapp-bug-raises-questions-group-message-privacy/
[7] http://www.handelsblatt.com/technik/it-internet/verschluesselung-umgangen-forscher-finden-sicherheitsluecke-bei-whatsapp/20836518.html
[8] https://www.heise.de/security/meldung/WhatsApp-und-Signal-Forscher-beschreiben-Schwaechen-verschluesselter-Gruppenchats-3942046.html
[9] https://www.theinquirer.net/inquirer/news/3024215/whatsapp-bug-lets-anyone-easily-infiltrate-private-group-chats
[10] http://www.dailymail.co.uk/sciencetech/article-5257713/WhatsApp-security-flaw-lets-spy-private-chats.html
[11] https://news.ycombinator.com/item?id=16117487
[12] https://eprint.iacr.org/2017/713.pdf
[13] https://twitter.com/alexstamos/status/951169036947107840

Further articles:
- Matthew Green's blog post: https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/
- Schneier on Security: https://www.schneier.com/blog/archives/2018/01/whatsapp_vulner.html
- Bild: http://www.bild.de/digital/smartphone-und-tablet/whatsapp/whatsapp-sicherheitsluecke-in-gruppenchats-54452080.bild.html
- Sun: https://www.thesun.co.uk/tech/5316110/new-whatsapp-bug-how-to-stay-safe/

Continue reading


  1. Hacking Tools Windows
  2. Hacking Tools For Kali Linux
  3. Hacker Tool Kit
  4. Beginner Hacker Tools
  5. Hack Tools Online
  6. Hacker Techniques Tools And Incident Handling
  7. Pentest Tools Kali Linux
  8. Hack Tools Github
  9. Hak5 Tools
  10. Bluetooth Hacking Tools Kali
  11. Best Hacking Tools 2020
  12. Pentest Box Tools Download
  13. Pentest Tools Nmap
  14. Hacker Tools Hardware
  15. Physical Pentest Tools
  16. Termux Hacking Tools 2019
  17. Hacker Tools Online
  18. Hacker Tools Online
  19. Nsa Hacker Tools
  20. Pentest Tools Website Vulnerability
  21. Pentest Tools Tcp Port Scanner
  22. How To Hack
  23. Hacker Tools Software
  24. Android Hack Tools Github
  25. Hacking Tools Windows 10
  26. Pentest Tools Port Scanner
  27. Hack Tools For Pc
  28. Free Pentest Tools For Windows
  29. What Is Hacking Tools
  30. Physical Pentest Tools
  31. Pentest Tools Bluekeep
  32. Hacking Tools Online
  33. Hacking Tools 2020
  34. Hack Tool Apk No Root
  35. Tools Used For Hacking
  36. Free Pentest Tools For Windows
  37. Hacking Tools For Kali Linux
  38. Hacker Tools 2020
  39. Tools Used For Hacking
  40. Hackrf Tools
  41. Hacker Tools Apk Download
  42. Nsa Hack Tools Download
  43. Android Hack Tools Github
  44. Hacker
  45. Hacking Apps
  46. Hack Tools Download
  47. Hack Tools Mac
  48. Physical Pentest Tools
  49. Free Pentest Tools For Windows
  50. Hacking Tools 2019
  51. Hacking Tools Windows 10
  52. Hack Tools For Games
  53. Pentest Tools Port Scanner
  54. Usb Pentest Tools
  55. Hacking Tools For Games
  56. Hacking Tools
  57. What Are Hacking Tools
  58. Hacking Tools For Kali Linux
  59. Hacking Tools Kit
  60. Hack App
  61. Tools For Hacker
  62. Usb Pentest Tools
  63. Pentest Tools Website Vulnerability
  64. Hacking Tools For Games
  65. Hack Tools Online
  66. What Is Hacking Tools
  67. Hack Tools For Pc
  68. What Are Hacking Tools
  69. Nsa Hack Tools
  70. Nsa Hacker Tools
  71. Hacking Tools And Software
  72. Hack Tools
  73. Free Pentest Tools For Windows
  74. Hack App
  75. Hacker Tools Free Download
  76. Growth Hacker Tools
  77. Pentest Recon Tools
  78. Game Hacking
  79. Hacker Tools
  80. New Hack Tools
  81. Hack Tools For Windows
  82. Hacking Tools Software
  83. Pentest Tools Review
  84. Beginner Hacker Tools
  85. Pentest Tools Online
  86. What Is Hacking Tools
  87. Pentest Tools Download
  88. Pentest Tools
  89. Hack Tools Download
  90. Tools 4 Hack
  91. Hacker Tools Online
  92. Pentest Tools Url Fuzzer
  93. Pentest Tools Apk
  94. Hacking Tools Github
  95. Hacking Tools Online
  96. Hack Website Online Tool
  97. Pentest Tools Open Source
  98. Hacking Tools Github
  99. Pentest Reporting Tools
  100. Top Pentest Tools
  101. Hack Tools For Windows
  102. Blackhat Hacker Tools
  103. Hacking Tools Mac
  104. Hacker Hardware Tools
  105. Underground Hacker Sites
  106. Tools Used For Hacking
  107. Physical Pentest Tools
  108. Hacking Tools For Windows
  109. Wifi Hacker Tools For Windows
  110. Pentest Tools Free
  111. Hacker Tools Free
  112. Pentest Tools Port Scanner
  113. Hacker Hardware Tools
  114. Hacker Tools For Pc
  115. Pentest Recon Tools
  116. Hacking Tools For Windows 7
  117. Pentest Tools Linux
  118. What Are Hacking Tools
  119. Hacker Tools Github
  120. Hacking Tools And Software
  121. Beginner Hacker Tools
  122. Hacking Tools For Beginners
  123. Pentest Tools Online
  124. Hacking Tools Name
  125. Hack Tools Download
  126. What Is Hacking Tools
  127. Hack Tools
  128. Hacking Tools Github
  129. Hack Tools 2019
  130. Pentest Tools Kali Linux
  131. Hak5 Tools
  132. Top Pentest Tools
  133. Hackrf Tools
  134. What Is Hacking Tools
  135. Hack Tools For Windows
  136. Wifi Hacker Tools For Windows
  137. Pentest Tools For Android
  138. Hacker Tools
  139. Hack Tool Apk
  140. Hacker Tools Free Download
  141. Hack Tools
  142. Hacking Apps
  143. Hackrf Tools
  144. Physical Pentest Tools
  145. Pentest Tools Github
  146. Pentest Tools List
  147. Pentest Tools Find Subdomains
  148. Best Hacking Tools 2020
  149. Hack Tools
  150. Pentest Tools Open Source
  151. Pentest Tools Online
  152. Hack Tools For Ubuntu
  153. Wifi Hacker Tools For Windows
  154. Hack Rom Tools
  155. Pentest Tools Bluekeep
  156. Hack Tools For Games
  157. Hacker Tools Linux
  158. Hacker Tools For Ios
  159. Hacking Tools Mac
  160. Hacking Tools For Mac
  161. Hacking Tools Name
  162. Pentest Tools Alternative
  163. Blackhat Hacker Tools
  164. Pentest Tools Linux
  165. Hacker Tools For Mac
  166. Hacks And Tools
  167. What Is Hacking Tools
  168. Hack Tools Github
  169. Hacking Tools Usb

No comments:

Post a Comment