Security analysis of WhatsApp calls
Some weeks ago, i've published a post about a research on Telegram Messenger by HackerFactor.
The post got a lot of visit, so today i'd like to share a similar analysis, this time focused on WhatsApp calls.
The analysis [1], made by Marvin Schirrmacher, aims demonstrate how the WhatsApp VoIP protocol can be revealed with the help of a jailbroken iOS device and a set of forensic tools.
While there is an official white paper [3] describing the encryption of WhatsApp, there is no detailed overview of how its protocols work or how the security features are implemented. Consequently, there is no foundation for serious security related analysis.
The research is based on three steps:
- Analysis of the network traffic.
- Analysis of the binary files.
- Analysis of the runtime behavior.
performed using this tools:
- Decryption of binaries: bfdecrypt
- Disassembling binary files: Hopper Disassembler and radare2
- Observing network traffic: Wireshark
- Analyzing runtime behavior: Frida
The analysis is really accurate, so i suggest you to take a sit and conscientiously read the technical report.
I quote only conclusions:
To conclude, this article showed that it can be difficult for application developers to hide the implementation of mobile applications. Tools like Frida enable researchers and attackers to gather critical information about the implementation of mobile applications in a short amount of time. Application developers should bear in mind that cryptographic keys can easily be extracted with such tools. For impeding the dynamic analysis of an application, it is useful to strip symbol names from application binaries. Moreover, application developers should remove string constants, which contain critical application information or help to locate functions.
and some highlights:
- WhatsApp applies open source libraries like libsignal-protocol-c [4], libsrtp [5], PJSIP [6] and mbed TLS [7] for implementing the VoIP protocol.
- A value called “master secret” is used for initializing two SRTP streams, which encrypt payloads with AES-128-ICM. The master secret is used as input for a key derivation function, which derives keys, salts and nonces as initialization parameters for SRTP.
- The Noise Pipes Protocol [8], the Signal Protocol and XMPP [9] interact for transporting the master secret to the callee for setting up a call session. The master secret is encrypted with the Signal Protocol, then packed into an XMPP message, which is encrypted with the Noise Pipes Protocol, and sent to a WhatsApp server. After that, the server passes the encrypted master secret to the callee for signaling an incoming call.
- Integrity protection of VoIP calls seems to have flaws. This is because some SRTP streams are not checked for integrity. Moreover, there are streams which compute invalid authentication tags with zero bytes as input, instead of the actual SRTP packet.
- SRTP packets do not reveal sensitive data, except the duration of a VoIP call session.
- A malicious caller is able to manipulate the initial call message. This enables an attacker to confuse WhatsApp clients, so that the callee sees unintended caller information on his device. Social engineering attacks can be realized because of this vulnerability.
References
- Security analysis of Telegram Messenger
- Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
- WhatsApp Security
- https://github.com/signalapp/libsignal-protocol-c
- https://github.com/cisco/libsrtp
- PJSIP - Open Source SIP, Media, and NAT Traversal Library
- SSL Library mbed TLS / PolarSSL
- The Noise Protocol Framework
- XMPP Protocol