Slashdot Mirror
WhatsApp Is Using IMEI Numbers As Passwords
mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."
Not Gay Fags, no. Worse. I mean FAT, AUTISTIC, GEEKS!
Fapping to Little Ponies while compiling your Linux kernel for the 32nd time to hope your obscure wifi driver works. Slashdot, the worst of the internet since 1997. Wikipedia, putting [citation needed] on the blinding obvious. Admit you are all worse than reddit, fark and even 4chan if you are Slashdot user or Wikipedia editor.
âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.
The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process auditory signals, and the light-sensitive retina and cornea of the eye that process visual activity.[2] We are on the threshold of an era in which these data processors of the human body may be manipulated or debilitated. Examples of unplanned attacks on the bodyâ(TM)s data-processing capability are well-documented. Strobe lights have been known to cause epileptic seizures. Not long ago in Japan, children watching television cartoons were subjected to pulsating lights that caused seizures in some and made others very sick.
Defending friendly and targeting adversary data-processing capabilities of the body appears to be an area of weakness in the US approach to information warfare theory, a theory oriented heavily toward systems data-processing and designed to attain information dominance on the battlefield. Or so it would appear from information in the open, unclassified press. This US shortcoming may be a serious one, since the capabilities to alter the data- processing systems of the body already exist. A recent edition of U.S. News and World Report highlighted several of these âoewonder weaponsâ (acoustics, microwaves, lasers) and noted that scientists are âoesearching the electromagnetic and sonic spectrums for wavelengths that can affect human behavior.â[3] A recent Russian military article offered a slightly different slant to the problem, declaring that âoehumanity stands on the brink of a psychotronic warâ with the mind and body as the focus. That article discussed Russian and international attempts to control the psycho-physical condition of man and his decisionmaking processes by the use of VHF-generators, âoenoiseless cassettes,â and other technologies.
An entirely new arsenal of weapons, based on devices designed to introduce subliminal messages or to alter the bodyâ(TM)s psychological and data-processing capabilities, might be used to incapacitate individuals. These weapons aim to control or alter the psyche, or to attack the various sensory and data-processing systems of the human organism. In both cases, the goal is to confuse or destroy the signals that normally keep the body in equilibrium.
This article examines energy-based weapons, psychotronic weapons, and other developments designed to alter the ability of the human body to process stimuli. One consequence of this assessment is that the way we commonly use the term âoeinformation warfareâ falls short when the individual soldier, not his equipment, becomes the target of attack.
Information Warfare Theory and the Data-Processing Element of Humans
In the United States the common conception of information warfare focuses primarily on the capabilities of hardware systems such as computers, satellites, and military equipment which process data in its various forms. According to Department of Defense Directive S-3600.1 of 9 December 1996, information warfare is defined as âoean information operation conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.â An information operation is defined in the same directive as âoeactions taken to affect adversary information and information systems while defending oneâ(TM)s own information and information systems.â These âoeinformation systemsâ lie at the heart of the modernization effort of the US armed forces and other countries, and manifest themselves as hardware, software, communications capabilities, and highly trained individuals. Recently, the US Army conducted a mock battle that tested
The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.
And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.
Nicely done with the "responsible disclosure".
And who cares what is uses for passwords?
And why should I care?
Also. Get off my lawn.
Yes and porn is watched for the acting.
"Maybe this world is another planet's hell"
Aldous Huxley
Acronym abuse! If you use an acronym, spell it out the first time you use it, or expect your communications to be taken as nonsense.
"National Security is the chief cause of national insecurity." - Celine's First Law
Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87
How many rootkits does the US[2] use officially or unofficially?
How much of the free but proprietary software in the US spies on you?
Which software would that be?
Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.
How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?
If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?
I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:
APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.
Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.
The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.
Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.
Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware
Even though the UDID was not supposed to be used for authentication like purposes, some app developers were leaning on it... really better to just make apps create a UUID themselves and make use of that. Of course, then for authentication you need a real login of some kind.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
To be fair, they are using the MD5 of the IMEI. Not just the IMEI in plain text. But I think people are more worried about someone getting their WhatsApp info from the IMEI, and not the other way around.
What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.
Anybody who cares about their security with mobile texting should be using one of the services out there that are designed for it, like Gliph or TigerText.
WhatsApp has had security problems in the past, and it seems like their users really don't care.
http://javazkript.blogspot.in/p/download-thatsapc.html
Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
But they should use the IMSI number, not the IMEI number. And combine it with a password, then you get into a better level of security than with only a password since you are using something you have.
However with the recent rise in malicious apps for phones using the phone for anything secure is risky.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Couldnt they just use said IMEI and mix user name or or another mix inside of the imei for the password to keep the a identifier unique?
How is the GNNA time wholesome and
"If they aren't doing anything wrong, what have they got to hide? Why do they need to encrypt things?"
Any discussion about security has to have that in there somewhere. This time I got there before the NSA dude...
Anyone who writes mobile apps _must_ have noticed that Apple is removing the APIs to read UDIDs (Universal Device Identifiers) - because of privacy concerns, and because using a device to identify a user is stupid in the first place. IMEI numbers are supposed to be unchangeable, so they are UDIDs as well, so it is obvious that the reasons why UDIDs shouldn't be used apply to IMEI numbers as well.
I don't write Android code, but I would be sure that they have some easy means for an app to generate a UUID (Universally Unique Identifier) and stash it away safely, which is what an app should use.
This isn't a problem on WP7 (can't speak for 8). We needed the IMEI on a project, and only signed OEM applications can get access to it. iOS has UUID access for applications to get around this, as does WP7, but that generally raises issues around privacy.
Issues with IMEI are a bit heavier than UUID style usage. You can block an entire phone globally by reporting the phone stolen with the IMEI to participating carriers. This is irreversible. Malicious though, and rather unlikely. What's more likely is your IMEI can be sold to fake phone manufacturers, which if they ever appear on the same network as your phone simultaneously, both will get blocked globally.
The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.
In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.
Why doesn't slashdot have a tag "morons"? I had to check if this was a joke, it's too stupid to be true...
So when is Jitsi going to get an android port?
Give me Classic Slashdot or give me death!
Hatta, you're actually not far off from Bruce Schneier's "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'".
-rozzin.
"Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."
I think this should read that IMEI numbers should not be used for authentication.