Slashdot Mirror

← Back to Stories (view on slashdot.org)

WhatsApp Is Using IMEI Numbers As Passwords

Posted by Soulskill on from the security-through-handwavery dept.

mpol writes "In the past, WhatsApp has been criticized over their insecure use of XMPP. Recently, new versions of their app have incorporated encryption. It seems the trouble isn't over yet for WhatsApp and its users. Sam Granger writes on his blog that WhatsApp is using IMEI numbers as passwords. This is at least the case with the Android app, but other platforms are probably using similar methods. Since someone's IMEI number is easily readable, this isn't really secret information that should be used for authentication."

57 of 102 comments (clear)

  1. Seriously? by thePowerOfGrayskull · · Score: 4, Insightful

    The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

    And yet , after reading the blog post, I see he made no mention of warning whatsapp, giving them a chance to alter this, etc.

    Nicely done with the "responsible disclosure".

    1. Re:Seriously? by Lehk228 · · Score: 4, Insightful

      responsible disclosure is something earned by responsible actions on the part of developers.

      do something retarded and you deserve to have it blow up in your face like that

      --
      Snowden and Manning are heroes.
    2. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      If an app's security is so clueless, it's quite arguably more responsible to give them maximum public humiliation by not allowing the producer to water down the announcement with a PR show about fixing a flaw they never should have allowed to ship.

      Yup, the app's users are /possibly/ more exposed to script kiddies briefly (the flaw may be well know outside the greater public already), but that's offset is having more people made safer by just dropping the app in revulsion. Also it inflicts maximum pain on the producer for a bonehead move; sometime maximizing the negative-feedback part of learning is real important.

      It's not a simple call to make. I like responsible disclosure, but it's just not always a black-white call.

      Also, "so what?" -- by that I mean only we're always going to have a percentage of people who simply say 'this shit is broken' without contacting the producer. That's got to be factored into developing anything, and glaring at the messenger is pointless. It's a fact of the social milieu.

    3. Re:Seriously? by watice · · Score: 1

      wow. sorry i didn't spend my last mod point on you. Realer words have never been typed.

    4. Re:Seriously? by MrHanky · · Score: 2, Informative

      Meh. It's a proprietary extension to a free protocol, with lock-in included. Fuck them.

    5. Re:Seriously? by kylegordon · · Score: 5, Informative

      There's no need for responsible disclosure when it's been around for months on Github.

      Just check https://github.com/venomous0x/WhatsAPI/blob/63639eafc9a08fd308df72458f1381ec8899940d/README.md and you'll see.

    6. Re:Seriously? by Bogtha · · Score: 2

      I see he made no mention of warning whatsapp

      This isn't an accidental security vulnerability, they deliberately designed their system this way. They obviously already knew their system works this way.

      --
      Bogtha Bogtha Bogtha
    7. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      Only part of the security community believes in responsible disclosure, a large portion of the community is for 'full disclosure', like the post in question here.

      Great example: Security Researchers point out 29 vulnerabilities in Java 7 to Oracle in April, with Proof of Concept code and everything. Oracle patches 2 of the vulnerabilities in the June update. Someone else finds some of the same flaws and exploits them in the wild. Oracle only fixed them after they were being actively exploited. Turns out, the fixes were band aid at best, with a little refactoring, Security Explorations (the Polish researchers in question) updates their Proof of Concept code, all of the exploits still work even after Oracles 'patch'.

      Without the huge public pressure from public disclosure, Oracle just ignores the vulnerabilities.

    8. Re:Seriously? by carlos92 · · Score: 1

      The only thing new it brings to the table is that it feels more like a replacement of SMS. It's easy to install (they obviously prioritized ease of use over security) and it works with your contacts that are already stored on the phone.

    9. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

    10. Re:Seriously? by Anonymous Coward · · Score: 1

      Maybe people will start being more careful about which companies they trust.

    11. Re:Seriously? by mwvdlee · · Score: 2

      Responsible disclosure has nothing to do with the developer, it's meant to protect it's users.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    12. Re:Seriously? by Anonymous Coward · · Score: 1

      The "dick move" here would be to let people remain ignorant about the fact that they are using a "dick" company. Whether they mentioned it to whatsapp or not is entirely inconsequential to the much larger issue of whatsapp being total morons when it comes to security in the first place.

      If my neighbour was worried about security, locks his doors but I notice he always leaves the bathroom window open, I would mention that to him, pointing out his security problem. But if he buys a big sturdy security gate and plops it down on his driveway without even connecting it to his fence, then I'm more likely to laugh about him over a beer with my mates. Stupidity doesn't deserve feedback.

      But if I then saw someone giving their valuables to my neighbour for "safe keeping", you can bet your ass I'd mention that to them, not to my neighbour. He's already proven he doesn't take it seriously.

    13. Re:Seriously? by 2fuf · · Score: 1

      The problem with this attitude is that the end users gets the shit poured over them, as a retribution for the developers' lack of responsibility.

      What kind of dick do you have to be to think that's fair?

    14. Re:Seriously? by Hatta · · Score: 3, Insightful

      "Responsible disclosure" is a completely disingenuous term. Full disclosure is the only responsible route.

      --
      Give me Classic Slashdot or give me death!
    15. Re:Seriously? by Hatta · · Score: 2

      The person who delays announcement of a security hole is allowing a bunch of people to get hacked. If a "security researcher" found the hole, you have to assume a black hat has as well. Make the announcement immediately, so those affected can take the affected systems offline immediately, or make other arrangements.

      Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

      --
      Give me Classic Slashdot or give me death!
    16. Re:Seriously? by lindi · · Score: 1

      I have never used whatsapp but I was still fully aware that they use IMEI as a password. This was no secret.

    17. Re:Seriously? by JoeMerchant · · Score: 1

      Failing to announce vulnerabilities immediately is a dick move that only protects the people that made the vulnerable product.

      Wrong, it protects and benefits the black hats who are using the vulnerability even more...

    18. Re:Seriously? by DMiax · · Score: 1

      Sure, they should have alerted WhatsApp that they programmed their system to use IMEI as passwords...

      Hey! I just noticed that you wrote your comment and pushed the submit button and now everyone can read your thoughts! Are you aware of that?

    19. Re:Seriously? by DMiax · · Score: 4, Insightful

      since the app did not pop out of nowhere but someone wrote it, I have to assume that WhatsApp already knows that they are using IMEI as passwords and they are clearly ok with that. It's not a bug or something that slipped in. It is not a side effect of another decision: it is how they intended it to work and it is stupid. The only people who don't know are the current and prospective users, hence full disclosure.

    20. Re:Seriously? by burne · · Score: 1

      Your IMEI is 00-000000-000000. Remember that the checksum calculation is optional.

    21. Re:Seriously? by r1348 · · Score: 1

      Not so much. The best way to protect users is to let them know that the programs they're using are insecure.
      For what we know, a black hat might have discovered this vulnerability (of the moronic kind) months ago and already exploiting it in the wild without user knowledge. Full disclosure fixes this lack of information, the developer now should really fix the app.

    22. Re:Seriously? by kelemvor4 · · Score: 1

      Well.. it's Oracle. Did you really expect them to provide good support?

    23. Re:Seriously? by LingNoi · · Score: 1

      Regardless of it being a dick move..

      > So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards.

      If it's breakable then it's just poor security. This isn't tabs or spaces. This is either you can break into someones account or you can't.

    24. Re:Seriously? by Pausanias · · Score: 1

      Why would anyone ever want to user WhatsApp over google voice is something I don't get.

    25. Re:Seriously? by monzie · · Score: 1

      I wish I had mod points. You hit the bulls' eye there. Developers cannot be stupid and then expect others to be kind to them. Yes I develop mobile apps as well - and If I ever do something this stupid, I deserve to have it blow in my face.

    26. Re:Seriously? by Dishevel · · Score: 1

      Not true.
      If you find yourself dealing with a company that fixes the things you disclose in a timely manner then just throwing exploits out and sitting back
      with your popcorn trying to see if the hackers can fuck the public over before the company can fix it then you are just a dick.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    27. Re:Seriously? by tlhIngan · · Score: 1

      So, let's allow a bunch of people to get hacked because the developer doesn't meet your standards. That's not a dick move at all.

      OTOH, who's to say they haven't ALREADY been hacked and this disclosure merely was bringing attention to the public?

      That's the problem with responsible disclosure - it's really hard to do. Wait too long and people exploit it without your knowledge. Wait too short and they have no chance to fix it (and how long is "enough"? QA processes vary and some places do extensive testing to ensure things don't break, others only do a casual (i.e., it compiles) and ship that).

      And then you have to figure out how much to tell people. I mean, tell too little and the developer just says "it's a theoretical hack". Tell too much and people cry "you just told everyone how to hack everyone's account!".

      It's just like how PSN was shut down last year. It wasn't because hackers got the information and triggered some sort of Sony network monitoring alarm. It was because a bunch of people were getting PSN downloads (games and DLC) for free using PS3s that should never been able to access it. Only when they looked deeper did they realize something was wrong. But until then, who knows how much data was taken, or how long they had access to it?

  2. I love the last line of the article by Meshach · · Score: 5, Insightful

    The intent of this blog post is not give “hackers” or “scriptkiddies” any funny ideas, but merely for awareness.

    Yes and porn is watched for the acting.

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
    1. Re:I love the last line of the article by Anonymous Coward · · Score: 2, Funny

      Yes and porn is watched for the acting.

      porn with acting is called drama on HBO

      spartacus

    2. Re:I love the last line of the article by Viceice · · Score: 3, Insightful

      Porn _IS_ watched for the acting. Because it sure isn't watched for the plot, story or any other production value.

      --
      Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
  3. I call... by msauve · · Score: 1

    Acronym abuse! If you use an acronym, spell it out the first time you use it, or expect your communications to be taken as nonsense.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:I call... by AuMatar · · Score: 1

      If you're on a tech website and reading an article about cell phones without knowing what an IMEI is, you're hopeless to begin with. It's a common enough acronym that no, they shouldn't spell it out- you should stop being a dumbass.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    2. Re:I call... by bipbop · · Score: 1

      i don't think that's true. People should be expected to raise themselves to minimum standards, not meet them ahead of time. After all, it's basically effortless to look it up and learn what it means, and lazy evaluation in reading slashdot doesn't have any negative consequences I can think of.

    3. Re:I call... by MikeBabcock · · Score: 1

      The number of people who ask me what acronyms and even plain English words mean while in front of an Internet-connected PC or smart phone just astounds me. I keep saying "Google it" and they keep looking at me stupid.

      So you type the word you're looking up into Google, hit enter, and voila, its probably the first result.

      --
      - Michael T. Babcock (Yes, I blog)
    4. Re:I call... by AuMatar · · Score: 1

      If you type " define" its almost always the first result. Works well for acronyms too.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    5. Re:I call... by AuMatar · · Score: 1

      That was supposed to be "<word> define".  Fuck slashcode, I posted it at plain old text.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    6. Re:I call... by msauve · · Score: 1

      LOL

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  4. This is why Apple got rid of the UDID... by SuperKendall · · Score: 1

    Even though the UDID was not supposed to be used for authentication like purposes, some app developers were leaning on it... really better to just make apps create a UUID themselves and make use of that. Of course, then for authentication you need a real login of some kind.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:This is why Apple got rid of the UDID... by petsounds · · Score: 1

      Same thing with Social Security Numbers; they were never supposed to be used as a Federal identification number, but companies wanted to track people in a more consistent manner and there was no alternative. In both cases, that doesn't forgive the companies for using these numbers.

  5. Not Quite by Anonymous Coward · · Score: 1

    To be fair, they are using the MD5 of the IMEI. Not just the IMEI in plain text. But I think people are more worried about someone getting their WhatsApp info from the IMEI, and not the other way around.

  6. warning? by kenorland · · Score: 4, Insightful

    What good would a "warning" do? This isn't some accidental security slip-up, it's a sign of utter incompetence.

  7. Re:Nobody Seems To Notice and Nobody Seems To Care by viperidaenz · · Score: 1

    Don't forget your tinfoil hat

  8. Always the same stupid, stupid mistakes by gweihir · · Score: 3, Insightful

    Why are these people not asking _one_ person that understands security before implementing the same tired old stupid mistakes again? There is not even space for responsible disclosure here. The only things to tell users is to stay away from this insecure trash. If they make beginners mistakes like these, there is likely no way to fix this app without a complete re-design.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Always the same stupid, stupid mistakes by StripedCow · · Score: 1

      In case you didn't notice, these days companies are only after the quick buck. This means that they target as large a group of people as they can with minimal effort. This in turn means that security, for example, gets neglected. In other words, the reason is companies have found out that they can exploit the following concept:

      99% OF USERS DON'T CARE

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    2. Re:Always the same stupid, stupid mistakes by ahoog · · Score: 2

      They don't even have to ask. After years of doing mobile security audits, we complied 42+ best practices for secure mobile development and posted it free online. It's just that secure development takes extra time (and talent) and very few are willing to make that commitment. https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/

      --
      Andrew Hoog
      viaForensics
    3. Re:Always the same stupid, stupid mistakes by Anonymous Coward · · Score: 1

      13 and 14 are kind of bullshit. If an "attacker" can modify your code, you've already lost. Obfuscating your code to make it harder to crack the binary is not security, it's obfuscation. It might give comfort to those seeking solutions to the impossible problems (DRM, copy protection) but in the end it won't help you beyond preventing the most casual/unskilled crackers, and it will make your job as a developer harder.

      Basically if you can't trust the integrity of your own address space you've lost, there is no sense in denying it by making your code harder to read.

    4. Re:Always the same stupid, stupid mistakes by gweihir · · Score: 1

      They are not BS, they are shifting attacker effort. Depending on your attacker model, that may or may not make the app more secure. Unfortunately that is worth far less than it seems can even lower security.

      Unfortunately, it looks like most attackers are not that rational (the Homo economicus is a nice theoretical model, but unfortunately complete BS in practice, as there are basically none of these creatures around) and will keep at one target a lot longer than is economically viable. That means simple obfuscation techniques may keep the kiddies out that do not get it, but no advanced attacker will be impressed in the least. (As you rightfully point out.) As targeted attacks are on the raise (and these are not done by incompetent kiddies in general), obfuscation techniques are even worse then BS, as they create a false sense of security.

      I know from personal experience that it is extremely hard to explain the non-value of such techniques that seem to work on first glance to non-experts (read: managers) and to explain to them that their level of preparedness is actually far, far lower than they think. If that explanation fails, these techniques make the system actually less secure, because other steps that would have helped are not undertaken. After all, "it is already secured".

      So, calling this BS is far too nice ;-)=)

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Always the same stupid, stupid mistakes by gnasher719 · · Score: 1

      One goal should always be to make an attack expensive. That doesn't help _your_ app very much, but it helps _everyone_. If it was more expensive to attack _your_ app, then the attacker has less money or time to spend on attacking other apps, and if other apps are more expensive to attack, then anyone who attacked those apps has less money and time to attack your app.

      The perfect app would be one that is actually safe, but looks as if it could be attacked successfully, making an attacker waste their time. So obfuscation as _first_ line of defense is useful. Not as protection, but as a drain on the bad guys' money.

  9. In a way it's useful by Z00L00K · · Score: 1

    But they should use the IMSI number, not the IMEI number. And combine it with a password, then you get into a better level of security than with only a password since you are using something you have.

    However with the recent rise in malicious apps for phones using the phone for anything secure is risky.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  10. Apple removed UDID by gnasher719 · · Score: 1

    Anyone who writes mobile apps _must_ have noticed that Apple is removing the APIs to read UDIDs (Universal Device Identifiers) - because of privacy concerns, and because using a device to identify a user is stupid in the first place. IMEI numbers are supposed to be unchangeable, so they are UDIDs as well, so it is obvious that the reasons why UDIDs shouldn't be used apply to IMEI numbers as well.

    I don't write Android code, but I would be sure that they have some easy means for an app to generate a UUID (Universally Unique Identifier) and stash it away safely, which is what an app should use.

  11. IMEI not just "easily readable" by richard.cs · · Score: 2

    The IMEI is not just "easily readable" it's sent unencrypted whenever a call is made. This was a deliberate design choice, it could have been sent after the encrypted connection was established but the writers of the specification chose otherwise - the motivations for this have never been explained but a lot of people have drawn their own conclusions.

    In any case my point is that it's even easier than TFA suggests to obtain someone's IMEI.

  12. Re:The Mind Has No Firewall by myowntrueself · · Score: 3, Funny

    âoeThe Mind Has No Firewallâ by Timothy L. Thomas. Parameters, Spring 1998, pp. 84-92.

    The human body, much like a computer, contains myriad data processors. They include, but are not limited to, the chemical-electrical activity of the brain, heart, and peripheral nervous system, the signals sent from the cortex region of the brain to other parts of our body, the tiny hair cells in the inner ear that process...
     

    I was half expecting this to turn into another 'MyCleanPC' spam post.

    --
    In the free world the media isn't government run; the government is media run.
  13. Jitsi by Hatta · · Score: 1

    So when is Jitsi going to get an android port?

    --
    Give me Classic Slashdot or give me death!
  14. Re:The Mind Has No Firewall by maxwell+demon · · Score: 1

    Actually the mind has a very effective firewall, as everyone has experienced who tried to convince someone else that his believe system is wrong. However, like any firewall, it can only keep off threats if configured properly.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  15. Re:"Full disclosure is the only responsible route" by Rozzin · · Score: 1

    Hatta, you're actually not far off from Bruce Schneier's "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'".

    --
    -rozzin.
  16. Re:Slashdot and Wikipedia are for fags. by mynameiskhan · · Score: 1

    I hate name calling from behind the internet. Wassup Mr. Coward?