Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com)

Posted by EditorDavid on from the no-more-secrets dept.

Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports: U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...

The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.
Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."

41 of 143 comments (clear)

  1. Bullshit. by Frosty+Piss · · Score: 5, Insightful

    The claim is dubious. Why would they inform all the Terrorists that they can decrypt WhatsApp with ease? They wouldn't. The reason for the "disclosure" is to influence Terrorists to use some other - perhaps less secure - means of communication because they CAN NOT decrypt WhatsApp.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Bullshit. by Anonymous Coward · · Score: 5, Interesting

      It's possible that they didn't actually decrypt anything and, instead, managed to get into the phone. If the terrorist didn't secure his phone, then whatsapp could easily be opened and messages read. They had access to his phone, that was stated in the article.

    2. Re:Bullshit. by janoc · · Score: 2

      That. Or simply retrieved the content from some temporary file/cache/whatever Whatsapp uses. Another possibility is that they simply got the content from whoever the message was sent to - which would explain the "human intelligence" (aka interrogating someone) part.

    3. Re:Bullshit. by thewolfkin · · Score: 3, Interesting

      exactly. physical security is the first security. given that was compromised. It seems more likely that was the vector they used.

      --
      Just another second banana
    4. Re: Bullshit. by Anonymous Coward · · Score: 2, Insightful

      "Using a chat program to hide " doesn't even make logical sense.

    5. Re:Bullshit. by thewolfkin · · Score: 4, Insightful

      This isn't a fucking TV drama, it is more important to get the psychological leverage over the terrorist groups who are reminded they can't use tech to hide. It is also more important to remind the public that terrorists can't do that.

      no it isn't. If anything the past experience with government agencies is that they'll exploit the heck out of security holes they can find and use that to get whomever they want to get. Heck that was the whole point of Snowden. There's no incentive or historical trend of governmental agencies effectively shouting out that they've found a way to see through the door. Instead they keep looking through the door gathering and using intelligence until someone notices.

      at best this suggests that "Oh we're so strong we cracked WhatsApp" but it does so completely at the cost of their loophole. It's a silly stunt that's only effective if they have a backup in place.

      --
      Just another second banana
    6. Re:Bullshit. by Impy+the+Impiuos+Imp · · Score: 4, Insightful

      It's ironic that, if this kind of encryption existed during the US revolutionary war, the King of England would have outlawed it, and therefore the Founding Fathers would have included it as a right in the First Amendment. Government is the problem in the long run, the bigger picture, regardless of any short-term benefits.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    7. Re:Bullshit. by Impy+the+Impiuos+Imp · · Score: 5, Insightful

      Indeed, every time some politician in the West decries encryption for some teeny-tiny, transitory problem like terrorism, billions around the world's hearts sink a little more into despair as their governments break encryption using the same techniques precisely to catch political opposition.

      Says the oppressed in China, Russia, Turkey, "Well, our nightmare continues but damn, we are glad you wern't hampered too much gleaning a useless iota of information on that guy who is one trillionth the plague on your society our governments are on ours."

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    8. Re: Bullshit. by hey! · · Score: 2

      "Using a chat program to hide " doesn't even make logical sense.

      It does if the chat program using public key encryption between the users. In that case even the mediating servers don't have access to message contents.

      The scheme is flawless -- but then it almost always is unless it's devised by a total ignoramus. What they get you on is implementation.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    9. Re:Bullshit. by monkeyzoo · · Score: 4, Informative

      Lookup information on Open Whisper end-to-end encryption, which is what WhatsApp uses. You will see that the whole point of the system is to prevent police from "simply" doing what you have said. There are no unencrypted temporary files, caches, etc.

      Getting the contents from the recipient is a valid possibility however without defeating the technology.

    10. Re:Bullshit. by 110010001000 · · Score: 5, Insightful

      How do you know that is what WhatsApp uses? It is closed source. They could be doing anything, no matter what they CLAIM they are using. They could be sending all of your messages directly to the NSA. Why do people trust closed source apps?

    11. Re:Bullshit. by Patent+Lover · · Score: 3, Interesting

      He wasn't part of a terrorist group. He was a batshit psychopath who watched one too many terrorist videos. The terrorist groups don't hide behind tech, they broadcast it out in the open.

    12. Re:Bullshit. by thegarbz · · Score: 3, Insightful

      Why do you trust open source apps? No really, do you read all the code and then compile it yourself?

      Just because something leaves an audit trail doesn't make it impervious to fraud.

    13. Re:Bullshit. by thegarbz · · Score: 3, Insightful

      The terrorist groups don't hide behind tech, they broadcast it out in the open.

      What a load of garbage. Terrorist groups most definitely do hide behind tech and generally do so quite well. What they do out in the open is lay claim their successful attack.

    14. Re:Bullshit. by markdavis · · Score: 3, Insightful

      >"Why do you trust open source apps? No really, do you read all the code and then compile it yourself?"

      At least it is POSSIBLE. With closed source, it is absolutely impossible for the end user to know what the program is doing. It means watchdog organizations can audit it and anyone can verify it. I don't look at much of my open source code, but you can bet someone is, and all it takes is one person to blow the whistle. And someone can compile it and compare the hashsum on distributed binaries to ensure it hasn't been tampered with downstream.

    15. Re:Bullshit. by TheOuterLinux · · Score: 4, Insightful

      WhatsApp is owned by Facebook. It's encryption is a joke when the right people are asked nicely, hence the "using techniques that 'cannot be disclosed for security reasons.' What they mean is they can't tell you how they did it because it would look REALLY bad if people realized how stupid it is to put your faith in a company that specializes in profiling and biometric data collection; https://www.whatsapp.com/faq/g.... If you're using WhatsApp on Google anything (Android, Chrome, etc.), you're in even worse shape because it's Google for Christ's sake. Remember Dirty COW? Google waited until after the election to fix it while every other Linux-based OS did months ahead of them.

      But anyway, Facebook also invests huge amounts of money into cloud computing and AI. That combination one day will make all encryption and anonymity useless because we will all be digitally fingerprinted whether you have an account or not, especially if quantum computing advances, and you can assume your government will get a copy, just like they get copies of your DNA when you fall for the "fun and easy" TV advertised "ancestry" services. This "profile" is going to replace social security numbers. If you want real encryption (at least for now), use Signal (similar to Telegram but better) or a Tox client (similar to OpenVPN but for messaging). More importantly, use your brain. Both are free and open source and support text, talk, video, and file sharing. I would never use anything that important that I couldn't look at the code for. If you could look at WhatsApp's source code, I think security researchers would be horrified. And, Facebook gets caught spying on their mobile app all the time, so I don't see how WhatsApp would be any different. And just because a lot of people use it, doesn't make it the best. Matter of fact, that would make more of a target.

      Some of the above links are kind of old, but note the ISP one. Legally, your internet service provider in the U.S. can sell your browsing information. Because of this, intelligence agencies can just purchase your data for cheap rather than getting a warrant and paying a government employee to waste their time. I'm mentioning ISP because Facebook has been trying for over a year now to bring the Internet to all kinds of places. They would become an "Internet Service Provider." In any case, if the app has an advertisement, you can be tracked.

      The real note to take away from this is to realize data can be created and never destroyed and don't put anything on the internet you don't want found. I wish people would realize privacy settings are a joke; they only protect you from the average person. Anytime you see "convenient" or "secure" for a service, just assume it's complete BS because your government doesn't have the time or resources to actually physically search and seize everyone so they have software for it, contrary to "Martial Law" conspiracies; cloud computing makes it easier.

      And since this news regarding terrorism, do you know why it was so hard to find Osama? It's because so far as we know, the most technologically advanced thing he ever personally used was a kidney dialysis machine or the Cold War weapons the U.S. gave him. The wor

    16. Re:Bullshit. by johanw · · Score: 2

      Accessing WhatsApp messages on a phone is easy when you have access to the device, even if it's locked (but not encrypted). Or they managed to get access to the unencrypted backup WhatsApp wants to make on Google Drive if you allow it (and have a Google account active on the phone). Assuming it was Android, I don't know how well that works with Apple.

    17. Re:Bullshit. by johanw · · Score: 3, Interesting

      In the case of Signal, I do build it myself from source because I want to make some changes, like adding a decent backup function that Moxie won't do in Signal for some reason he doesn't want to explain. But apart from that, they have reprodcable builds so you can check a self compiled version is the same as the one you download (except for the signature of course).

    18. Re:Bullshit. by AHuxley · · Score: 2

      To heard interesting people to all kinds of other waiting networks that are security service fronts.
      A fancy new app everyone is talking about, that nice GUI, local language support, readable fonts, lawyers and statements about protecting all users rights. Vast funding that never stops.

      It's like buying crypto for an embassy or company in the 1950-80's. So many private sector options for a nation, gov or company to select from. Go with US, UK, NATO quality to keep the Soviet Union out?. Something from a more "neutral" nation with good banking security that just works as installed? It has a great reputation and is so trusted globally.
      NSA and GCHQ had it all covered.
      The Falklands war was the public testing of many mil grade systems sold globally. The GCHQ had the plain text to almost all of the UK, US, NATO export grade systems in real time. South Africa was the only nation that provided any real mil spec design quality that slowed the UK down a bit.

      --
      Domestic spying is now "Benign Information Gathering"
    19. Re: Bullshit. by easyTree · · Score: 2

      Of which, none capture video of abuse of power by police.

      --
      Requiem for the American Dream
    20. Re:Bullshit. by AmiMoJo · · Score: 4, Interesting

      The BBC reported that they simply got it from the phone of the recipient (which they knew from metadata) who cooperated with them. That person was innocent and uninvolved in the attack so simply gave them the message in plain text.

      Sorry no link, the BBC search engine is crap.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re: Bullshit. by RubberDogBone · · Score: 3, Interesting

      Tell that to the idiots using the forgotten social messaging app Whisper, which has nothing to do with the Whisper protocol or Whatsapp.

      Nope, it's just a sort of Twitter clone that pretends to be anonymous, and tons of idiots fall for it and post for sale or want to buy messages for "contraband substances" as if nobody can trace them.

      The app records the user's IP address, the IMEI of their phone, their GPS (which it uses to set a "nearby messages" group feature), their phone number, and none of this is encrypted in any way AND the developers proudly declare in the TOS that they will happily respond to any requests from law enforcement. The app also inserts ads from the Facebook network so anything you look at on FB may in turn spawn "related" ads in the app. So not only does the app know who you are, we can presume FB in turn knows a lot about which ads are seen when and perhaps even which content the user was looking at.

      So it is completely NOT anonymous. And yet idiot users post their messages every day. I had NO idea there were even so many different words for pot.

      The app has other major issues, such as a general lack of users -potheads and gays seeking gays seem to be the main users, but they don't add up to very many. So the developer hires workers to make fake posts, uses bots to repost and repost the same messages day after day after day, all in a bid to fake the place into looking like people use it. A lot of the Indian contractors don't even bother to hide that they are posting from Indian call centers.

      The app also has a "Popular Posts" feature which presents those items when users first open the app. But what determines what is "popular" is not popularity but the whimsy of one of those Indian workers who decides to promote a particular post to the Popular page, which then gets a lot of views and so forth. So they are manufacturing popularity, not seeking what is naturally popular. It's fraud. The anonymity is fraud.

      But very few users bother with this thing and nobody would really notice if it blew away.

      --
      Sig for hire.
    22. Re:Bullshit. by thegarbz · · Score: 2

      At least it is POSSIBLE.

      No it's not. For all but a tiny handful of people auditing the source is not possible as they lack the requisite skill or funding to get it done. How many open source programs out there actively get audited? And no, someone looking contributing to the code is not an audit. Many eyes are able to glaze over even the most simple of bugs.

      but you can bet someone is

      A bet that has been proven false over and over again in the past 5 years. From huge bugs discovered in very widely used software, to distrust in security software in general. We have recently gotten a great view into what it takes to actually look for code. Truecrypt wasn't a large program, yet it took a team of people 2 years to audit it. The end result of someone auditing something will be out of date on the day of release. Also what happened the day of the audit findings? Some people questioned who the auditors were and if their findings can also be trusted.

      And someone can compile it and compare the hashsum on distributed binaries

      No they can't. The chance of creating hash identical binaries to the ones the publisher created are next to none with subtle differences in build environment creating wildly differing outputs. At best you could beg the publisher to let you audit the machine and process which he used to create the binary. THEN you may get a hash comparable output and can compare the source used. But you're as much at mercy as letting the publisher do that for open source and closed source software.

      In general the trust level goes up when source code is available but only slightly. We are not living in a world of obvious and obtuse bugs instantly highlighting a lack of trust. The NSA leaks have shown that quite clearly.

  2. idiot by ooloorie · · Score: 5, Insightful

    "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other,"

    It is completely unacceptable that history majors like Amber Rudd, who evidently has not the slightest understanding of technology, end up in positions like Home Secretary. or "Secretary of State for Energy and Climate Change". Rudd seems to be an object lesson in how money and political connections trump competency and skill.

    1. Re:idiot by gweihir · · Score: 3, Interesting

      Indeed. The whole statement is so utterly stupid and disconnected from reality _and_ misses what states that tried to get where she wants to go were like (Stalinism, 3rd Reich, etc.) that she cannot be any good at understanding history either. So they have a _bad_ history major as Home Secretary.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:idiot by matbury6017 · · Score: 3, Insightful

      OK, let's play with Rudd's statement for a little while. Since any weakening of internet security applies to everyone who uses the internet, not just the people Rudd would like it to affect, how substituting the keyword "terrorist" for something else and see how it sounds then?

      "It's completely unacceptable. There should be no place for [PLACEHOLDER] to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for [PLACEHOLDER] to communicate with each other,"

      Investment bankers? Grassroots political organisers? MI5 and MI6 agents? Any more ideas?

  3. Encrypt Everything! by Murdoch5 · · Score: 5, Insightful

    Regardless if the claim is true or not, all your data and messaging should be encrypted at all times PERIOD! I will gladly accept terror acts for the right to have my data protected and safely stored. Across all my computers and my phone, everything is encrypted when possible, including my emails, which are sent from a encrypted provider, my SMS messages, which are sent encrypted and almost everything else I do. Encryption is a right to not have your data / personal information exposed and one that must be protected, even if that means acts of terror are untracable / untrackable.

    1. Re: Encrypt Everything! by Anonymous Coward · · Score: 2, Insightful

      Since you asked...

      A. I don't. But the more of my data that is encrypted, the less noticeable data that I critically need to be encrypted will be to would-be eavesdroppers. No sense in drawing any further attention to the occasions when I really do require it. Plus if I am always using it, then I don't have to especially remember to do anything out of the ordinary when I do actually need it.

      B. Anything that requires some security against malicious eavesdroppers who might use the information to cause harm to myself if others. If it is technically feasible for the Feds to decrypt it, no matter how benign they may claim to be (and there is some cause to he sceptical of that already), then so can someone with much more nefarious intentions.

    2. Re: Encrypt Everything! by easyTree · · Score: 2

      Template email sent when switching mobile providers.

      --
      Requiem for the American Dream
  4. Huh? crooks in brazil do this all the time by Anonymous Coward · · Score: 5, Interesting

    (OBNOTE: they might have done something far different, but this is one way it could be done -- and it is being done in Brazil):

    1. Clone the victim's phone line (not chip, not iemsi, you just need to reassign its phoneline. Costs about US$100 in Brazil to get a sleazy, disgruntled phone-company-cellphone-outlet employee to do it for you).

    2. Using the rogue SIM that has the victims' phone number active for a while, install whatsup. Do the SMS verification, it will pass. And yes, that *does* mean you could use the same !@#$@#$ trick to invade banking accounts, steal accounts with SMS verification enabled, etc. Say, like google, microsoft, or DNS registrar (and from there, anything else, such as US$ 200k-worth twitter identities, etc).

    ==> IT IS NO JOKE that the newest US gov regulations *strongly recommends against* (read: FORBID) the use of anything phone-carrier-routed (SMS, voice, phone number, etc) for security id/validation.

    3. Whatsup will download the message history and contacts database, and you have access to the information.

    Now, if the target is not an imbecile, he has whatsup 2FA enabled. That means step (2) is a lot more difficult, *but not impossible*. Here's where human intelligence can help, phone hacking can help, and even a court order for whatsup to NOT nuke the account no matter how many failed tries (assuming this does not run afoul of whatever protections did not allow them to order whatsup to shell out the history directly) can help.

    IOW: have you removed the insanely dangerous "phone-number-based" recovery options of every account you treasure? If you did not, you better do now. It is quite possible to add defensive layers to SMS-based and voice-based recovery options, but all of them are of the "force several successful attempts over a *large* period of time, with random factors involved" so that the victim will notice what is happening, recover his phone number, and engage defensive measures. NOBODY implements this.

    1. Re:Huh? crooks in brazil do this all the time by ezdiy · · Score: 2

      Here, telcos are not *that* corrupted to reroute a number, however social engineering tricks are to be played with PNM. It is also why banks raise a fraud alert when you port your number to Google Voice, because you cut off the SIMtoolkit pairing. You need the original STK applet key to decode the bank's 2FA SMS handshake. Without it, the SMS will be delivered normally, and the bank will be notified it went somewhere where it shouldn't.

      As for police, they simply ask the telco to tee pipe SMS to them, or use an (authorized) IMSI catcher, both as a part of ongoing investigation when they have a probable cause.

      They use that to routinely snoop on whatsapp and telegram accounts, at least in europe.

  5. Embarrassing typo by mean+pun · · Score: 2

    I must assume that the phrase 'the victim's motive' in the summary should be 'the terrorist's motive'.

  6. If there's no place for terrorists to hide by HalAtWork · · Score: 5, Insightful

    If there's no place for terrorists to hide then there's no place for *anyone* to hide, and that is unacceptable considering how valuable it is to hide from oppression or the abusers of the system used to ensure there are no hiding spots, those who operate the system are disproportionately advantaged and with access comes the capability of concealing themselves, censoring, framing content and concealing context, etc.

    This idea is ridiculous and imbalanced off the bat.

    --
    Twinstiq, game news
    1. Re:If there's no place for terrorists to hide by gweihir · · Score: 3, Interesting

      Indeed. Terrorists you can typically just ignore with no significant adverse consequences. Fascist politicians are a lot harder to deal with.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Original article: by Gravis+Zero · · Score: 4, Informative

    Here's the original article that this is all based on.

    --
    Anons need not reply. Questions end with a question mark.
  8. Re:The Liberals' war on vaginas by hey! · · Score: 5, Funny

    I am personally insulted by the ineptitude of this troll. Please try again. This time with feeling.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  9. The police did what I would want them to do by 93+Escort+Wagon · · Score: 2

    They had a specifically targeted phone, they used "human and technical intelligence" to get into it. No broad request (specifically from them, anyway, in this case) to compromise everyone else's personal privacy and financial security in pursuit of their goal.

    On the face of it, at least, this seems to be what I would want them to do.

    --
    #DeleteChrome
  10. Not suprising by 110010001000 · · Score: 2

    You don't know what the WhatsApp "app" is doing. It is closed source. It could be sending all your messages directly to the NSA. Why would you trust your communications to closed source running on a megacorporations system?

  11. Stop using "encrypted" apps on proprietary phones by Traverman · · Score: 3, Interesting

    In the US anyway, freedom is worth dying for. The best way to fuck the terrorists is to show them that they can't change anything about our social norms. As far as I'm concerned, Whatsapp should be considered an in-the-clear messenger which is only "encrypted" because the government happens not care about the sender at this particular moment. What this sort of "pretend encryption" approach does is let the terrorists know that we're willing to give up our core values so they won't kill anymore of us. Heck, why stop there? We all might as well convert to their perverted brand of Islam. Of course, this is all misguided because eventually they'll find out how to do more damage, encryption or not. Which means we'll still have terror attacks a century from now, but what we won't have is private messaging.

    What do we need in order to reclaim the freedom that our ancestors (in America, at least) literally died for? Open source everything, from the circuit diagrams in our chips all the way to the app layer. Is this happening? I hope I'm just ignorant, but the answer would seem to be "no". There's no "real money" in open source anything, and things are getting exponentially more complicated with time. So maybe there's something to be said for building a truly dumb "combox" for private messaging and nothing else, which actually could make money for the people behind it, and therefore be economically viable. Does anyone know of anything like this? And no, I'm not talking about some "brilliant" encryption app running on top of swiss cheese dogshit like Android.

  12. Impossibility of access by AcidPenguin9873 · · Score: 2

    Before encrypted electronic communications, criminals and terrorists had to use things like in-person meetings or unsecure communications methods (like analog telephony) to communicate. These were obviously vulnerable to being listened to for a determined party, but that was simply how it was, there was no other option. Law enforcement could use various human-powered means to target specific individuals or organizations, like tapping a particular phone line and having a human listen to it when it went active, or maybe stake out a particular meeting place with some high-power microphones. For the general non-criminal population, while it was technically possible for the government to listen to everyone all the time, it was realistically impractical because of the vast amount of manpower it would require.

    Today we're in the opposite situation. Law enforcement can now get ahold of all electronic communications through various taps, but if criminals and terrorists use the proper technology and best practices, it is *impossible* for law enforcement to know what is being said. (Yes, deep-cover operatives are still possible but are impractical for all but the absolute highest-priority things for reasons of time, risk, and the same old manpower problem).

    I don't have a great answer. Anything is either too insecure or seems too vulnerable to corruption. The only thing I've come up with is third-party escrow of encryption keys, but who is the third party and how do we know they aren't corrupt?

  13. The WhatsApp exploit revealed on BBC Radio by RDW · · Score: 2

    Clearly our Home Secretary Amber Rudd has now found some people who "understand the necessary hashtags": http://mashable.com/2017/03/27...