I’d like to postulate a hypothesis: are WhatsApp users suffering the same delusions that bedevilled the Enigma machine and its operators? Do WhatsApp fans believe that, because their end to end message is encrypted, it is therefore completely secure? Will there come a point where somebody regrets putting complete trust in the app’s encryption?
Before I begin my investigation, I would I’d like to set the record straight: I’m not suggesting people using WhatsApp today are motivated by the same factors that drove Enigma usage.
WhatsApp is an excellent modern world communication tool. But, I do believe that by looking at encryption’s past we can still learn a great deal about how cyphers can - and should - be used today.
The Enigma machine
Arthur Scherbius, a German engineer, developed his Enigma machine - a device capable of transcribing coded information, in the hope of interesting commercial companies in secure communications.
In 1923 he set up his Chiffriermaschinen Aktiengesellschaft (Cipher Machines Corporation) in Berlin to manufacture his product. Within three years the German navy was producing its own version, followed by the army in 1928 and the air force in 1933.
In the first stages of the war (1940), the British codebreakers are able to read the majority of radio messages from the German Air Force (Luftwaffe) and a modest part of the Army traffic (Wehrmacht)
In 1941, Turing achieves a breakthrough, he discovers the wiring of the additional wheels and the naval message indicator procedure. Aided by the acquisition of a large amount of codebooks from U-Boot U-110 that was captured on 9 May 1941, Turing manages to find a way into the Naval Enigma M3 and decrypt part of the naval traffic.
The Germans were convinced that Enigma output could not be broken, so they used the machine for all sorts of communications on the battlefield, at sea, in the sky and, significantly, within its secret services. Only a select few commanders were made aware of the full significance of Ultra, and used it sparingly to prevent the Germans realising their ciphers had been broken.
Meet WhatsApp
WhatsApp Messenger is a freeware, cross-platform and end-to-end encrypted instant messaging application for smartphones. It uses the internet to make voice calls, one to one video calls; to send text messages, documents, PDF files, images, GIF, videos, user location, audio files, phone contacts; and to forward voice notes to other users using standard cellular mobile numbers. Cade Metz, writing in Wired1, said ‘WhatsApp, more than any company before it, has taken encryption to the masses.’
On May 20, 20112, an unconfirmed security researcher noticed a flaw in the authentication process. It allowed the researcher to hijack an account by trying to login with another phone number and intercepting the verification SMS text message.
In May 2013, another security hole was reported which left communication through WhatsApp susceptible to packet analysis. WhatsApp communications were not encrypted, and data was sent and received in plaintext, meaning messages could easily be read if packet traces were available.
On January 6, 2012, an unknown hacker published a website article detailing how to change the status of an arbitrary WhatsApp user, as long as the phone number was known. To make it work, it only required a restart of the app.
According to the hacker, it was only one of many security problems in WhatsApp. On January 9, WhatsApp reported that it had resolved the problem, although the only measure taken was to block the website's IP address. As a reaction, a Windows tool was made available for download providing the same functionality. This problem has since been resolved in the form of an IP address check on currently logged-in sessions.4
On December 1, 2014, Indrajeet Bhuyan and Saurav Kar, both 17 years old, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size.
To escape the problem, the user who receives the specially crafted message had to delete their whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely.
In early 2015, after WhatsApp launched a web client that can be used from the browser, Bhuyan also found that it had two security issues that compromised user privacy: the WhatsApp Photo Privacy Bug and the WhatsApp Web Photo Sync Bug
On March 2, 2016, WhatsApp introduced its document-sharing feature, initially allowing users to share PDF files with their contacts. However, WhatsApp's default state of automatically downloading attachments raised some concerns in the press about risk and security once support for document sharing expanded beyond PDF files5.
In August 2016, WhatsApp announced that it will start sharing account information with Facebook, consisting of the phone number of the account owner and aggregated analytical data.6
On January 13, 2017, The Guardian newspaper reported that security researcher Tobias Boelter had found that WhatsApp's policy of forcing re-encryption of initially undelivered messages, without informing the recipient, constituted a serious loophole whereby WhatsApp could disclose, or be compelled to disclose, the content of these messages, but that Facebook spokespeople, as well as Open Whisper Systems, disagreed with this assessment. A follow-up article by Boelter himself explains in greater detail what he considers to be the specific vulnerability.7
The fourth wheel
A fourth wheel was added to Enigma to increase the security, this increased the number of variables8, it also increased its users’ belief that it was unbreakable
Some people will add another layer of, what they believe is, security by using a VPN but a study by Google’s official Play Market found that the majority aren’t as secure as they say, Some don’t even work at all and fail to obfuscate your IP9.
Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic.
Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all.
18% didn’t encrypt traffic
16% injected code, including JavaScript which can be used to inject malicious code
84% leaked data linked to IPv6 domain names
U-571
The plot for the film U-571 is very loosely based on the British capture of U-110, her Enigma and the cipher keys. Whatever your views on the historical twist, it can be true to say that - due to the security around the capture and use of the enigma machine - the Germans were under the impression that the machine had sunk with the boat and its crew.
If somebody had their device captured, imaged then returned to them, even in a short space of time, would they be aware that the integrity of that device had now been compromised? Once somebody has the MAC address, which is used as the device address to route messaging in WhatsApp, by temporarily spoofing the MAC address10 the system will reroute the messages to that device.
If the spoofing is conducted for short periods of time, this might increase the time that the user has access to the messages, without the loser knowing his system has been compromised.
Man in the middle
Seeing the interception of Enigma traffic as a man in the middle attack might seem strange but due to the omnidirectional nature of the signals, there was very little control on the direction the transmissions went. The sender might not even know where the recipient was.
The Enigma messages were transmitted using morse code, which is a carrier wave, in the HF spectrum. These can be transmitted hundreds, but more likely thousands, of miles, making everybody a man in the middle.
The term ‘man in the middle’ is quite ironic because most of the Y Services personnel were women during WWII. One thing is known thought that these women collected thousands of transmissions and played a vital part in decyphering Enigma messages.
The modern day man in the middle attack is very similar, one person is sending messages to another oblivious to anybody intercepting their messages. The simplest example of this is when a user is enjoying public Wi-Fi - they log on to the Wi-Fi hotspot, oblivious to who else is around.
Sometimes the Wi-Fi hotspot itself has been spoofed, quite often people will log on to any Wi-Fi that has the word ‘free’ in its name. There is no such thing as free Wi-Fi, there is always something you can get out of the signal, perhaps it’s just linking a device to an email address.
Conclusions
Enigma was state of the art technology. It used the most complicated encryption available, yet even with the limited systems available, the British were still able to break the code and have a ringside seat on the plans of the enemy in the second world war.
There is no doubt that, if the Germans knew that Enigma had been compromised, they would have changed it’s set up, extending the war and costing countless lives.
Whatsapp doesn’t have the same status as a high level command and control device. But, it does have state of the art encryption, which is being constantly developed.
Like the efforts at Bletchley Park, there are numerous specialists that are looking to emulate Alan Turing. With the computing power and connectivity that we have today in this industry, you are not ahead of the game for long.
The lessons learned from looking back at Enigma can be used when using Whatsapp: don’t put anything on there that you don’t want everybody to see, because the moment you forget that is when you find yourself on the front pages of the tabloids.
Biography
After retiring from the Police as a Cyber Crime specialist in 2015, Ian Darlington went on to gain a GCHQ accredited MSc in Computer Forensics from the University of South Wales. Ian's dissertation was called 'Policing Crime on the Cyber Beat', the study looked at improving the investigative opportunities when dealing with Cyber Crime. Ian continues to utilise his extensive experience in Cyber Crime, starting up his own company CyberCSI.