Hello everybody. My name is Dennis Wijnberg, and together with Dr Nhien-An Le-Khac, I’m presenting about Alternative Methods for WhatsApp interception. This research project was part of my dissertation in partial fulfillment of my Master of Science degree for the University College in Dublin. Do you want to know more about my research project or do you want to receive all data used for my research project? Please send me an email on [email protected]
On a daily basis, law enforcement officers all over the world struggle with the same problem. They want to know what their subjects are doing. They want to get ahead of the crime and they want to know what they’re doing, when they’re doing and why they do it, and how much money they make with it. In order to do that, they have to read along in real time, if possible with their subjects.
Unfortunately, over time, communication applications, such as WhatsApp, Signal, Threema, Telegram have replaced regular WhatsApp, excuse me, SMS communication. Want to read along with WhatsApp messages? And it’s often thought that it’s not possible to do such a thing anymore, but there are more possibilities than what most people think.
During this research project, I have done enormous amount of research on everything that was known about WhatsApp interception, which methods are there, how can they be used, and how can they be prevented. Since this presentation can only be 20 minutes, I have to be very short on each subject.
The scope of my research project was not to do any research post-mortem on physical devices. For example, on a mobile phone, the scope was not to use any subpoena to get information from WhatsApp. I used several forensic digital methods to get data from WhatsApp and combine them to get as much as possible. I have used the same structure with all methods I’ve found. And I will mention the methods one by one. I’m using the same structure for all of these methods.
The first question is which methods can be identified, which information can be gathered using one of them, one of each method, which steps to take in order to successfully fulfill the method and how these methods can be prevented.
In the slide you can see all the alternative information I’ve already used. In this slide, you can see everything that I’ve worked with, all literature, and you can see them all, and what you can see that some of them use metadata, some of them use open data. Most of them are about historic content that can be gathered doing forensic research on a phone. Some of them are about future content and none of them are about real time content.
In this slide, you can see which software versions I’ve used for both the mobile phones, as well as the WhatsApp version. The first method describes a WhatsApp account takeover. The first question you can ask yourself is, was there even a WhatsApp account, giving a certain number, phone number you’ve used.
If you can take over a WhatsApp account, you can see in which WhatsApp group someone was a member. You can also see their role – were they just a normal member, or were they an administrator moderator. You can see the name of the group or groups, if they are multiple, and you can see the other members of the group, you can see their phone numbers and you can see their display names if they send in the group after you’ve joined them, which are new account. You will also receive messages that are still in transit. So between the period that they have sent the message and you have taken over the account.
And the last thing you can see, are the messages that are sent after the take-over, but how can you do it? The first option is to do an interception on the phone number. Make sure that the phone number is intercepted, and read along the two-factor authentication message, enter it on your phone, and then you get, you have taken over the account.
The second method is to do a seizure of the phone or just a SIM card. Put the SIM card in your own phone, enter the number during the WhatsApp installation, you will receive the message to confirm that you have access over the number – you have control over the number, and you’ve taken over the account.
Now what’s the risk? The risk is that the phone has to be physically in your hands in order to be successful in this method. The second thing is it will show on the phone Web WhatsApp is active. The third thing is that you can see where the messages are read on the web WhatsApp as well. So you can actually only read the messages that are already, excuse me, that are already read on the phone, if you don’t want to spook them.
How can you prevent the second method, Web WhatsApp? You can enable biometrical access to your WhatsApp account. So whenever someone has your phone, they also have to unlock it in order to be successful in order to create a pair. You can use a safe phone, with a safe access code, and don’t leave your phone unattended. That’s the third option.
The third matter that I’ve described in my research project is only disclosed for law enforcement agencies and law enforcement officers. If you are a law enforcement officer, I can send you the information. I can send you the method, but since it’s too much of an asset for us, I can’t disclose it for all of you. I’m so sorry about that. Are you a police officer, are you with law enforcement, please send me an email from your law enforcement email account on [email protected]
Fourth method that I’ve tried, it’s actually a failed method. I was not successful, but I want to share with you either way, maybe someone else can proceed on what I found and make it better.
The idea was to create a Web WhatsApp session that does not already exist. I’ve compared the local storage from the web browser, with web_ sessions.db on the phone. I’ve compared WABrowserid with browser_id as you can see here. As the slide shows the WASecretBundle ‘enckey’ and ‘mackey’ are both part of the secret key secret string, as mentioned in web_sessions.db. The enckey contains the last 32 bits, and the mackey contains the first 32 bits. Bytes. I’m so sorry, bytes. And they’re both base 64 encoded.
The problem is that WAToken2 does not exist in web_sessions.db. I think it is because it’s stored on a server somewhere. It’s not stored in web_sessions.db, so it cannot be injected in web_sessions.db, otherwise you could create something in the local storage and then inject it in web sessions if you have access to that file on the phone. I know it’s all quite hypothetical, but I think it could be, it could be working if you had web_sessions.db, if you have, if you had WAToken2 there.
The fifth method is WhatsApp Calls. It allows you to see the IP address of the person someone is calling with. This only works if both parties are in their address lists in WhatsApp in the contact list, or otherwise this will not work.
As you can see in the diagram below, in the evidence below, in the monitor set up Samsung S8 called with an iPhone eight. IPhone eight was connected to my MacBook pro using Wireshark in order to intercept all signals and the backward pair was connected with the router. And then the router with the Internet, of course. The iPhone was connected over 4G.
This example shows that I could see the IP address of the person I was calling with. In this slide you can see how it looks in Wireshark, for example, and I’ve mentioned a display filter in Wireshark: stun.type equals 0 X 0 0 1 [note – this is different between the slide and the talk]. And ip.dst! = 192.168.1.0/16.
In this case, my internal traffic has filtered from the other traffic. How can this method, method 5, be prevented? Of course you could use a VPN, virtual private network, so the IP address will not show. Another option would be to do only wifi on major locations where a lot of people are on the same wifi network.
During my research project, I’ve seen that several fugitives were calling their parents, their children, their loved ones using WhatsApp. That allowed us to see the IP address of the person they were calling with. Since the family calls were all intercepted, we could find their location abroad. They were arrested over there.
The sixth method is about WhatsApp open source intelligence. As my research shows, multiple things can be gathered by using WhatsApp open source intelligence. For example, someone’s profile picture. This can be used to identify whether a person is using WhatsApp or not. It can also be used to see what number is currently attached to a certain person, for example.
This previously was impossible to do this by enumeration. So for example, in the Netherlands, we start mobile phone numbers with 31 for the Netherlands, 6 for a mobile number, and then we have several codes for several mobile phone providers. After that is a random amount of — it’s not a random amount of numbers, it’s an amount of numbers that can be enumerated and therefore can be automated. And therefore you could retrieve all those phone numbers and their profile pictures attached. Lauren Clusit [name?] did in 2017 research on this.
What also can be gathered is when someone was online for the last time. This can be used for law enforcement to see whether someone has a regular pattern for living in a certain time zone, for example. It can also be used for an employer to see whether their employee is going on a regular time to bed, to sleep. Why do they perform on a certain level at work? It can be misused by employers as well. Last thing that can be gathered is that about, so you can, someone can enter there or someone about details of their life, and this can also be retrieved.
How can this method be prevented? In the privacy tab, in the account settings of WhatsApp, you have several options to disable. You can, for example, the last seen, profile photo, about, and status, and you can select whether this is visible for no-one, for everyone, or only for your contacts. As this image shows a daily pattern can be gathered. You can see when two people had a conversation based on when they were online and when they were not. You can see what their work hours are. You can see how often they use WhatsApp. Is that a normal behavior for someone in a certain job. Your employee, your employer can watch this for an employee unless you have forensic counter measures, of course.
Would you be comfortable with your employer seeing all this about you? Last but not least we also have to think about ourselves. We have to think about our own security in order to not become a victim.
This method is not unique for WhatsApp. It can also work for other messaging systems. This research is in motion continuously. So if you have any new findings about this subject, please feel free to contact me. I can show you all of my research data, and I’m really happy to share everything I’ve found and what I’ve found, especially for law enforcement officers I can show you even more.
As this slide shows, there are several methods to do and to use alternative methods for WhatsApp interception. On the left, you can see all the methods I’ve just described. And on top of it, you can see what can be gathered. If you have any questions, you can ask them after this presentation, or you can send me an email at d[email protected]