After Jeff Bezos's phone was compromised by a malicious video sent via WhatsApp, it hopefully got all of you thinking about your own phone security, and considering how easily you could be hacked. There are lots of tools, tips and tricks that you can utilise to help protect yourself from cybercriminals, but the unfortunate truth is, if a threat actor is dedicated enough, there is no fool-proof way to defend yourself completely. All we can do is protect ourselves to the upmost of our capabilities… and hope that attackers move on to less well-defended targets.
But when it comes to WhatsApp, is there anything else we can do- beyond pre-existing measures- to protect our accounts? The messages are already encrypted, meaning that threat actors can’t probe into our private conversations directly - but is there another way in? The encryption key to a WhatsApp message is housed on the devices being used in the conversation, so threat actors would need to get their hands on one of these to read through those chatlogs. This is where most readers may smugly nod to the fact that they use a complex pin or a biometric entry on their devices. However, what if you could take control of someone’s account by just knowing their phone number? Unfortunately, this is very possible and scarily easy – but there are ways to reduce the risk and protect yourself from this happening to your account - which I will go through at the end of the blog.
When you buy a new phone and restore from your backup, WhatsApp requires a code to be sent to a phone number. That code (usually sent to the device you are installing the app on) will validate the phone, allowing you will be back into your chats. If you have a backup of the messages, they will appear up to the last time it was backed up; if not, the names of the people and groups you are in a conversation with will show without the messages.
Testing the hypothesis
This is where I noticed a flaw. What if I could set up someone else’s WhatsApp account on a new device by simply grabbing the code sent to the target’s phone?
I decided to test my hypothesis on one of my colleagues last week (who is usually on the receiving end of my social engineering office antics but always happy to participate). A note – I would not recommend testing this on anyone who hasn’t provided prior permission. Earlier on in the week I threw into the conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever. A few days later I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on. It wasn’t long before my friend left to make a coffee, leaving her phone in view on her desk, so I typed in her phone number into my new WhatsApp account. Her phone instantly received a message (on silent) and I walked past her desk, mentally noting the code. I typed it into the verification field on my spare phone and instantly had control of her account.
I then had the ability to see all her chats in the app but no messages. To take my test to the next level I found a chat called “The Hunz” to which I sent the message “Hey! Having a rubbish day… send memes!” to which I received a ton of funny responses from her unsuspecting friends.
When my colleague returned to her desk with her latte, she was oblivious to the fact that I was in a meme conversation with her friends as I chuckled away to myself. A few minutes passed until she looked at her phone and said out loud “That’s odd, I’ve received a code from WhatsApp for some reason”. I noticed her pensive look, but later found that all she did was delete the message.
Always keep an eye on your phone
I then decided to come clean and told her what had just happened. She could not believe how easy it was to take over an account and felt that there should be more security in place for unsuspecting users. She rightly mentioned that many people leave their phones unattended but think nothing of it, even in public places such as restaurants and bars. I soon reversed my movements to her phone and placed her back firmly in control of her accounts and offered her the advice of how to stop this attack, which is as follows:
Firstly, you should turn off previews in your SMS messages. This may sound obvious, but many people desire the convenience of being able to look at messages immediately, without having to unlock their phone. When people use two step verification without an authenticator app, they tend to receive codes sent via SMS - but if these can be viewed on a locked screen, they are somewhat pointless to a user who may leave the phone unattended.
Therefore, secondly, you should never leave your phone or any device unattended. I have witnessed countless people on the train fall asleep with their phone left on the table, or even pop to the lavatory and leave it surrounded by strangers. Furthermore, there are many bad apples inside companies, so even if you trust your colleagues, there is always a chance someone else in the business could attempt this attack vector. It’s a point worth repeating: never leave your device alone.
Finally, there is an even better way of protecting your account that needs to be completed right now. WhatsApp created their very own Two Step Verification for the app a few years ago, which is simple to follow and will stop an attack like this from succeeding. Below is the process of how to do it, so open the app and set it up!
How to set up two-step Verification in WhatsApp:
- With the app open, head to Settings/Account/Two Step Verification and click on Enable.
- Next, enter a six-digit code that you won’t forget.
- Then enter your email address as an extra failsafe.
- Finally, you will see confirmation of two step verification set up on your phone, so it will be far more difficult for someone to be able to hijack your account or transfer your messages to another device.
You’ll now be asked for the PIN at random times when you open WhatsApp. It isn’t every time you open it, and therefore shouldn’t become an inconvenience. It will, however, make you better protected to enjoy safer technology.
Jake Moore, Cyber Security Specialist, ESET