Not Only You Have Access To Your Messenger

True, hackers can penetrate your phone. But what if I tell you they’re not the only ones to read your chats?

ROKKEX
ROKKEX
Jun 18 · 6 min read

In 2015, a conflict broke out between Apple and the FBI. The Apple corporation refused to unlock the encrypted smartphone, which was physical evidence in the case of the terrorist attacks in San Bernardino. At that time, it was a real problem: the data was properly protected, and it was almost impossible to hack a smartphone.

Eventually, the smartphone was hacked, and Cellebrite, which we’re going to mention further, is suspected to be behind it.

Now things are different. For example, the Israeli company Cellebrite sells software and hardware packages to legal entities in Russia and other countries, which allows hacking iPhone and Android smartphones. Last year, they even created an advertising booklet with detailed information on this topic.

Americans have technologies that allow hacking smartphones as well. The company Grayshift suggests hacking 300 smartphones for $15,000 (this is $50 per unit, compared to $150 by Cellebrite).

Cybercriminals likely have similar devices. Moreover, the devices are improved continuously — size decreases & productivity increases, for instance.

If we’re talking about major manufacturers of smartphones, they are more concerned about protecting the data of their users. However, smaller companies don’t pay much attention to encryption and data safety so the device can be hacked without any hurdles.

Still, don’t believe us? Let’s show you what danger your favorite messengers can pose.

Telegram

Back in October 2018, a freshman of Wake Technical Nathaniel Suchy found out that Telegram messenger stores messages and media files on a local computer disk in the open form.

The student was able to access his chats. For this, he examined Telegram databases stored on the HDD. He found out that the data was hard to read, but not encrypted. The access can be obtained even if the user has set a password on the application.

In the obtained data, the names and telephone numbers of the interlocutors were found, which, if desired, can be compared. Information from closed chats is also stored openly.

Later, Durov said that this was not a problem, because if an attacker has access to a user’s PC, they can get the encryption keys and decode the entire correspondence without any problems. However, information security experts claim that this is still serious.

WhatsApp

The messenger also stores data on a computer disk in an unencrypted form. Accordingly, if the attacker has access to the user’s device, then all information is also vulnerable.

However, there is a more significant problem. All backups from WhatsApp installed on Android OS devices are kept on Google Drive, as Google and Facebook agreed on last year. The backups are stored in unencrypted form. As far as we can judge, security officials of the US have access to Google Drive, so it’s possible that security officials view any stored data.

The data can be encrypted, but both companies do not do that. WhatsApp doesn’t encrypt data not because it is hard to implement technically, but because of cooperation with Google. Google supposedly analyzes the data stored on Google Drive servers and uses it to display personalized ads. If Facebook suddenly introduced encryption for WhatsApp backups, Google would instantly lose interest in the partnership: there’ll be no valuable source of data about users’ preferences. This, of course, is only a theory, but apparent in the world of marketing.

As for iOS, the backups are saved in the iCloud. The information is also stored in an unencrypted form, which is stated even in the settings of the application. It’s unclear whether Apple analyzes the data or not because they don’t have an advertising network, like Google. We can guess that they are less likely to examine the personal data of WhatsApp users.

All this can be stated as follows — yes, not only you have access to your WhatsApp messages.

Signal

Apparently, accessing users’ chats is the most widespread flaw in instant messengers. WhatsApp allowed hackers to modify chats to spread fake news, Telegram gives access to chat through SMS, but Signal was no better in May 2018.

That May was extremely tough for the company as twice per one week severe vulnerabilities were identified and later had to be patched. To exploit a bug, all an attacker needed was to send a malicious HTML/javascript code as a message and then quote/reply to that message with any text. When a victim received the quoted message, malicious code would automatically execute the payload, without requiring any user interaction. The bug could have stolen even the hashed passwords of Windows users.

Facebook Messenger

Over the past few years, Facebook has come through the fire of several privacy violations and mishandling of user data. In March 2019, a new vulnerability has been identified.

“The problem lies in how browsers manage embedded content in web pages, this flaw is not inherent to Facebook,” mentioned a social network security alert.

The vulnerability was exploited when parsing iFrames (code used to attach content). The Messenger loads a certain number of iFrames for the people with whom a user has interacted and with whom he never speaks in this messenger. For the success of the attack, a user should click on a link that redirects to the website where the investigator’s tool is located. The bug was fixed entirely by eliminating iFrames from Facebook Messenger completely.

In simple terms, a flaw on Facebook would have allowed knowing whom a user was chatting with.

Other Messengers

Most of the instant messengers have this or that vulnerability, which allows attackers to listen to users or steal their data. Besides, almost all applications from the top 5 store user data in an unencrypted form on the hard drive of the PC or in the phone’s memory. Besides, the special services of various countries also can have access to user data.

What To Do?

We do know that people are reluctant to protect their devices against intruders, so that the list won’t be too detailed and will enumerate only the basic methods that reduce the likelihood of third-party obtaining of your data:

  • Control the physical security of your devices. Took a corporate PC in a cafe and forgot it there? Classic. Safety standards, including corporate, are written with tears of victims of their negligence.
  • Set passwords everywhere, including the chat history in Telegram and other instant messengers. Naturally, passwords need to be complex; use a password manager for that.
  • Update your messengers when a new version arrives; an old one is likely to have unpatched bugs.
  • Two-factor authentication — it’s usually inconvenient, but if the security issue comes first, you have to accept it.

It is advisable to use data encryption on both a smartphone and a PC. Different operating systems often provide proper default tools.

You May Also Like

Must-Have Encryption Software to Protect Your Data in Case of a Device Loss or Theft

It’s OK to Be Paranoid Online

Cryptolocker and Simple Antiphishing Tips

At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise :)

If you have any ideas and suggestions, contact us at

Website . LinkedIn . Facebook . Twitter . Telegram . Reddit . Instagram .


ALTCOIN MAGAZINE

The best damn place to read and write about crypto and blockchain.

ROKKEX

Written by

ROKKEX

Security First! ROKKEX is a crypto exchange built by cybersecurity and fintech professionals. Try our demo https://exchange.demo.rokkex.com

ALTCOIN MAGAZINE

The best damn place to read and write about crypto and blockchain.