Defeating Encryption: Are popular messaging apps REALLY that secure?

STAR Certification

Defeating Encryption: Are popular messaging apps REALLY that secure?

Texting has become a large part of all our lives – in fact, texting is the most prevalent form of communication for under 50’s [1]. We trust in the security of these applications with handling our sensitive chats, personal details, and all kinds of private communications – often without giving it any thought.

Problems with Implementation

WhatsApp suffered a significant security breach in 2019. This breach would have allowed a hacker to access all content on a users phone

The app itself uses end-to-end encryption, which means the phone and the WhatsApp server have public and private encryption keys. The public key is used to encrypt messages, and the private key is used to decrypt messages.

Only the public key is sent out – so other people (in this case, the WhatsApp servers) can encrypt messages using the public key, but nobody can decrypt them unless they have the private key. The private key never leaves your phone.

This is the same technology used by the vast majority of messaging apps – and it’s advertised as their main security feature – and people feel comfortable with it. There’s more to keeping information safe than simply encryption, though – and this breach is a prime example of that.

Government Surveilance

Key disclosure law is an important aspect of keeping your messages secure. In the UK, we have the Regulation of Investigatory Powers Act 2000. This denotes, among other things…

  • Enables mass surveillance of communications in transit.
  • Enables certain public bodies to demand that ISPs fit equipment to facilitate surveillance.
  • Enable certain public bodies to demand that someone hand over keys to protected information.
  • Allows certain public bodies to monitor people’s Internet activities.
  • Prevents the existence of interception warrants and any data collected with them from being revealed in court.

This is not just limited to the UK – government surveillance is epidemic worldwide.

Insecure default settings

In China, police arrested a Telegram group administrator on suspicion of intent to cause public nuisance. Like the US, China has law which doesn’t allow someone to incriminate theirselves, and so they cannot be forced legally to reveal encryption keys.

However, the end-to-end encryption on Telegram is not enabled by default, and even if it were, authorities are able to force detainees to unlock their handsets using facial recognition or fingerprints. This is a feature commonly used on the majority of modern phones.

 

Social Engineering

Another vulnerability which exists in all kinds of online communication is phishing. It’s easy to get personal information about someone by posing as someone else. For example, a government agency may pose as an individual associated with a movement, and infiltrate their ranks – obtaining information vital to their investigation.

Or, someone could make a fake account posing as an acquaintance, and obtain your personal information via this avenue.

We offer simulated phishing attacks for your organisation to test training against these kinds of attacks. We also offer free educational materials and phishing courses.

 

 

State Sponsored Attacks

ISO 27001 ConsultantsState actors are commonly being accused of making cyberattacks against organisations and individuals. Perhaps the most infamous example, In 2017, the Russian government was accused of mitigating Ransomware in Ukraine. In fact, recently, cyberattacks against banks reported to be “state-sponsored” have been on the rise[2].

Telegram accuses the Chinese government of DDOSing (flooding a server with requests so it is inaccessible) their servers in relation to the previously mentioned protests[3].

Conclusion

The events and ideas in this article are just a small snippet of reality. It shows how important it is for a business to keep a strong understanding of the extent of state intervention and legislations in place with regards to the territories said business operates in. Businesses need to do this in order to protect their private and commercial data, and to meet contractual requirements.