Heise Security’s decisive test has confirmed what tech pundits had long feared: WhatsApp can be hacked by any Average Joe hacker who has the required tools, which for the record are freely available for any aspiring attacker to fulfill his potential. Any user that uses the app via a public Wi-Fi networking is basically inviting the tech mafia to come and delve into their personal data, and do whatever the hell they wish with their account and the messages exchanged through it. And of course once the account is under the hacking gun, there is no way on mother earth that it would be restored to its original secure self – the attackers would hence have a ball, with their repertoire of Whatsapp spy software being used to wreak havoc with the users’ accounts.
Anything but a Secret
Researchers exercising their neurons over the security flaws in the authentication of WhatsApp which have gradually come to the fore. Most of the research is concerning the internally generated passwords on the app, which is generated by the serial number of the device (IMEI) on an Android device, and though the Wi-Fi interface’s MAC address on an iOS device. What this basically connotes that the information being shared via the app then becomes anything but a secret, since the IMEI can be traced on stickers inside the Android phones and they can also be conjured courtesy of a shortcut key combination or indeed by another app. And digging out data is even easier when on iOS devices because the MAC address can be seen by anyone who is within the Wi-Fi network’s range.
Take for instance the example of a public Wi-Fi network, in a crowded coffee house; potential attackers can even muster the user’s phone number through the data packet that WhatsApp transmits. And guess what folks: the hacker doesn’t even have to know who their victim is. No actual need of Whatsapp spy software or an iPhone tracker; the hacker gets everything that they need on a platter.
Heise Security, with invaluable help from WhatsAPI, discovered that taking over both the Android and iOS users of WhatsApp was actually a no-brainer. All the attacker needs to do is insert the phone number, MAC address or the IMEI in a particular script and then they can deliver their desired messages from the account that they have compromised with effortless ease.
Another thing that can be done through the aforementioned script is that it summons a conversation mode, through which Heise Security managed to both send and receive the targeted messages. The sent messages are not seen on the user’s phone and if the script is running neither are the responses that are received.
What the researchers’ experimentation has showed is that users need to be careful with regards to using WhatsApp. iPhone users should never use the app when on public networks, or else their phones would be at the behest of data sniffers, who’d be queuing up their iPhone tracker arsenal to storm inside your open data house. And no there is now way to stop the people around you from penetrating your defense line if they have obtained the MAC address, phone number or IMEI.
Once an account is compromised its password cannot be changed to forestall the attackers’ maneuvers. So basically, the onus is now on WhatsApp to step forward and do something about protecting its users. There is also more than a slight possibility that WhatsApp might have a flaw in the design of the algorithm that generates the keys to encrypt messages, and hence that is another base that needs to be covered immediately if the app wants to sustain its popularity.
The glitches and the chinks in WhatsApp’s armor have been blatantly exposed and hence, it would have to come with something a lot more security inducing to eradicate the apprehension of the plethora of doubting Thomases.