Slashdot Mirror


Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com)

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.

Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."

2 of 143 comments (clear)

  1. Re:Bullshit. by Anonymous Coward · · Score: 5, Interesting

    It's possible that they didn't actually decrypt anything and, instead, managed to get into the phone. If the terrorist didn't secure his phone, then whatsapp could easily be opened and messages read. They had access to his phone, that was stated in the article.

  2. Huh? crooks in brazil do this all the time by Anonymous Coward · · Score: 5, Interesting

    (OBNOTE: they might have done something far different, but this is one way it could be done -- and it is being done in Brazil):

    1. Clone the victim's phone line (not chip, not iemsi, you just need to reassign its phoneline. Costs about US$100 in Brazil to get a sleazy, disgruntled phone-company-cellphone-outlet employee to do it for you).

    2. Using the rogue SIM that has the victims' phone number active for a while, install whatsup. Do the SMS verification, it will pass. And yes, that *does* mean you could use the same !@#$@#$ trick to invade banking accounts, steal accounts with SMS verification enabled, etc. Say, like google, microsoft, or DNS registrar (and from there, anything else, such as US$ 200k-worth twitter identities, etc).

    ==> IT IS NO JOKE that the newest US gov regulations *strongly recommends against* (read: FORBID) the use of anything phone-carrier-routed (SMS, voice, phone number, etc) for security id/validation.

    3. Whatsup will download the message history and contacts database, and you have access to the information.

    Now, if the target is not an imbecile, he has whatsup 2FA enabled. That means step (2) is a lot more difficult, *but not impossible*. Here's where human intelligence can help, phone hacking can help, and even a court order for whatsup to NOT nuke the account no matter how many failed tries (assuming this does not run afoul of whatever protections did not allow them to order whatsup to shell out the history directly) can help.

    IOW: have you removed the insanely dangerous "phone-number-based" recovery options of every account you treasure? If you did not, you better do now. It is quite possible to add defensive layers to SMS-based and voice-based recovery options, but all of them are of the "force several successful attempts over a *large* period of time, with random factors involved" so that the victim will notice what is happening, recover his phone number, and engage defensive measures. NOBODY implements this.