Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp.
WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information.
We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.
Jaime Sanchez (@segofensiva) is passionate about computer security that has worked for over 13 years as a specialist advisor for large national and international companies. He holds a Computer Engineering degree and also Executive MBA, as well as holding several certifications like CISA, CISM, CISSP, just to name a few. He is a frequent speaker introducing new bugs, exploitation techniques and mitigation, as in RootedCON, Nuit du Hack, Black Hat Arsenal USA 2013, Defcon 21, DeepSec or BlackHat Sao Paulo. He also writes a blog called SeguridadOfensiva (www.seguridadofensiva.com), touching on current topics in the field of hacking and security.
Pablo San Emeterio (@psaneme) is a computer security enthusiast. He has worked the last five years in the R&D department of Optenet, a Spanish company specialized in network security with a presence in major ISPs worldwide. He is a Computer Engineer and Master in Auditing and Information Security by UPM and is certified as CISA, CISM and Oracle DBA. He has spoken at conferences like RootedCON, NcN, and CiberSeg.