WhatsApp Flaw Could Allow 'Potential Attackers' to Spy On Encrypted Group Chats

A more dramatic revelation of 2018—an outsider can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp and Signal messaging apps. Considering protection against three types of attackers—malicious user, network attacker, and malicious server—an end-to-end encryption protocol plays a vital role in securing instant messaging services.

The primary purpose of having end-to-end encryption is to stop trusting the intermediate servers in such a way that no one, not even the company or the server that transmits the data, can decrypt your messages or abuse its centralized position to manipulate the service.

In order words—assuming the worst-case scenario—a corrupt company employee should not be able to eavesdrop on the end-to-end encrypted communication by any mean.

However, so far even the popular end-to-end encrypted messaging services, like WhatsApp, Threema and Signal, have not entirely achieved zero-knowledge system.

Researchers from Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group, allowing them to spy on group conversations, even without the permission of the administrator.

As described by the researchers, in the pairwise communication (when only two users communicate with each other) server plays a limited role, but in case of multi-user chats (group chat where encrypted messages are broadcasted to many users), the role of servers increases to manage the entire process.

That's where the issue resides, i.e. trusting the company's servers to manage group members (who eventually have full access to the group conversation) and their actions.

As explained in the newly published RUB paper, titled "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," since both Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group, it is possible for an unauthorized person—not a group administrator or even a member of the group—to add someone to the group chat.

What's more? If you are wondering that adding a new member to the group will show a visual notification to other members, it is not the case.

According to the researchers, a compromised admin or rogue employee with access to the server could manipulate (or block) the group management messages that are supposed to alert group members of a new member.

"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group," the paper reads.

"Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."

WhatsApp has acknowledged the issue, but argued that if any new member is added to a group, let's say by anyone, other group members will get notified for sure.

"We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user," a WhatsApp spokesperson said.

"The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."

But if you are not part of a group with very selected members, I'm sure many of you would relatively ignore such notifications easily.

Researchers also advised companies to fix the issue just by adding an authentication mechanism to make sure that the "signed" group management messages come from the group administrator only.

However, this attack is not easy (exception—services under legal pressure) to execute, so users should not be worried about it.

Wi-Fi Alliance Launches WPA3 Protocol with New Security Features

The Wi-Fi Alliance has finally announced the long-awaited next generation of the wireless security protocol—Wi-Fi Protected Access (WPA3). WPA3 will replace the existing WPA2—the network security protocol that has been around for at least 15 years and widely used by billions of wireless devices every day, including smartphones, laptops and Internet of things.

However, WPA2 has long been considered to be insecure due to its common security issue, that is "unencrypted" open Wi-Fi networks, which allows anyone on the same WiFi network to intercept connections on other devices.

Most importantly, WPA2 has also recently been found vulnerable to KRACK (Key Reinstallation Attack) that makes it possible for attackers to intercept and decrypt Wi-Fi traffic passing between computers and access points.

The new standard of Wi-Fi security, which will be available for both personal and enterprise wireless devices later this year, offers improved security and privacy.

  • WPA3 protocol strengthens user privacy in open networks through individualised data encryption.
  • WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by using commonly used passwords.
  • WPA3 protocol also offers simplified security for devices that often have no display for configuring security settings, i.e. IoT devices.
  • Finally, there will be a 192-bit security suite for protecting WiFi users’ networks with higher security requirements, such as government, defence and industrial organisations.

"Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry," said Joe Hoffman, SAR Insight & Consulting. "Wi-Fi is evolving to maintain its high-level of security as industry demands increase."

Since hardware must get certified by the Wi-Fi Alliance to use WPA3 security protocol, the new security standard won't arrive overnight.

It could take months for device manufacturers to support the new wireless security standard, but the first WPA3-certified devices are expected to ship later this year. More details about WPA3 have yet to be released.

CES 2018: The Best Gadgets Yet

Rokid
Glass
In the near future, augmented reality wearables will slide into our lives as seamlessly as iPhones and Fitbits. Rokid's AR glasses? Well, those aren't quite there yet. The Chinese company's prototype is chunky, clunky, and totally ugly—but even in its rudimentary form, we were impressed with what they could do. The glasses show information in the corner of the lens, including surprisingly reliable facial recognition tech that tells you who's around. It's a compelling proof of concept of what AR wearables will be capable of before 2018 is over.
Raven
H
The Raven H is a unique and versatile smart home device—it’s a speaker, a voice-activated assistant, and a touch-sensitive home entertainment remote, all in one. The sharp design comes courtesy of Swedish audio and electronics firm Teenage Engineering. Even more fun, Raven is owned by Chinese web services giant Baidu, so when you talk to the little LED-dotted square on top, you’re interacting with DuerOS, Baidu’s rapidly growing AI platform. There’s just one catch: You’ll need to talk to it in Chinese.
Garmin
Speak Plus
Someday, all cars will have Alexa and 5G and the infotainment system of your dreams. Today is not that day. Garmin's Speak Plus helps bridge the gap: It plugs into your car's cigarette adapter, connects to your phone over Bluetooth, and sticks to your windshield. From its perch, this round gizmo provides a dash cam, turn-by-turn navigation, and all of Alexa's many other skills. If you connect it to your stereo (again over Bluetooth), you can even use your voice to control your music. It's not quite as simple as an integrated setup, but at $230 it won't require a bank loan just to get one.
Nokia
Sleep Sensing and Home Automation Pad
Nokia's dream for the connected home starts when you slip into bed each night. Control IoT devices with its new sleep system as soon as you hit the hay: Turn off the lights. Tick the thermostat down a few notches. Set the home security system. Set your phone to "do not disturb" mode. While you snooze, it also tracks sleep cycles, heart rate, and snoring patterns through a thin pad that slips under the mattress.
Seven Dreamers
Laundroid
Folding laundry is a genuine hassle. Enter the Laundroid: a ludicrously large, refrigerator-sized robotic dresser that folds your clothes for you. It has a bin at the bottom where you drop your clean clothes, and on the inside a series of robotic arms and cameras analyze each piece of clothing and fold it. If it ever comes out (and that’s a long shot), it will cost somewhere in the neighborhood of $16,000. But in a tech conference filled with a lot of genuinely useless ideas, at least Laundroid is trying to make life legitimately easier. The company even says that it’s partnering with a laundry machine maker so a future Laundroid can actually launder your clothes too.
Wagz
Smart Dog Collar
Most connected pet products (most connected products in general, really) don't offer any features of real value. Wagz seems to at least be thinking about it more holistically, developing a set of gadgets that work together to actually help out pets and their owners. Its smart collar tracks your pooch anywhere it goes, but it also acts as an ID, telling the Wagz smart feeder how much food to spit out. And when your mutt walks over to the Wagz smart door, it'll only open if it's the right dog and the right time. You can manage all your pets' schedules on your phone, or just open up the feeder if you're going to be home a few minutes late.
Willow
Wearable Breast Pump
If you’re a working mom with a nursing infant, pumping breast milk is a royal pain. Too few improvements have been in this category for much too long. But now? The Willow Pump make its way onto the market this March. It’s small enough to throw into a purse, great-looking, and so quiet and discreet that a pumping mom had it running inside her shirt at a CES demo. And we had no idea.
Suunto
3 We love Suunto’s sleek, gorgeous fitness watches and the Suunto 3 is no exception. It’s light, attractive, versatile, easy to navigate, and can turn a huge amount of data—like your heart rate and V02 max—into a personalized 10-day training plan.
Scotts
Gro Smart Garden Irrigation System
Successfully watering your outdoor garden requires processing a huge amount of information: Type of plant, plant hardiness zone, soil quality, and the day’s precipitation (or lack thereof). If you find that poring over this information is a satisfying task, more power to you. But if you’d like to eliminate the guesswork, save water, and optimize your tomato growth, Scott’s smart irrigation system can help. It tailors your watering schedule to satellite weather updates, soil conditions, and plant variety, and can be monitored from your smartphone.
Amy Lombard for WIRED
Blade
Shadow PC
Building a gaming PC is an expensive proposition, and the antidote is Shadow PC. This service ties into a powerful gaming computer in the cloud (the company compares each virtual rig to an i7 PC with 12 GB RAM and Nvidia graphics) that’s always kept up-to-date on the backend. So, instead of popping in a new graphics card or upping the RAM, you just keep paying $35 per month and the upgrades are included. The company’s compact $135 Shadow Box will let you turn any monitor, PC, and mouse into a system hardcore enough to run games at up to 4K/60.

3 Things You Must Do to Keep Your Personal Information Safer

Keeping your personal information safe is a must in today’s age of identity theft. While you likely have strong passwords, shred paper documents and keep a close eye on your online banking and investment accounts, you also need to think about the features of your home that could be compromising your confidential data. Our tips for keeping your personal information safe at home will help.

  1. Be Mindful When Placing Home Security Cameras

Home security cameras provide a sense of security to homeowners. Many of today’s top models enable you to keep an eye on your home using an app so that you can monitor your home from virtually anywhere at any time. But, if you place your security cameras incorrectly, you put your valuable personal information at risk if hackers manage to access your system.

For example, do not put your home security camera in a location that points toward your home desk or computer screen. Hackers easily could get their hands on your account numbers, Social Security numbers or other confidential data simply by seeing it through the lens of your hacked camera. For personal privacy, it’s also best to avoid putting security cameras in your bedroom or bathroom.

  1. Protect Your Home Wi-Fi Network

Virtually everyone has a Wi-Fi network at home with a wireless router. It’s critical for you to protect your home security and personal data from hackers by securing your home network with passwords. Begin by changing the generic username and password that your router came with if you haven’t done so already. It is far too easy for hackers to use generic names and gain access to your system.

Also, change the network name that appears on other people’s smartphones and devices when they are in the vicinity of your network. For instance, manage your privacy by using a name other than your last name or address.

According to PCMag, one of the best ways to protect your personal information at home is to encrypt your wireless router. Go to the security options in your router’s settings and turn on the WPA2 Personal option. Set the encryption type to AES and enter a password, or a network key, for the encrypted Wi-Fi. Keep in mind this password is different from the one you use to connect devices to your Wi-Fi, so make your password a sentence that’s at least 12 characters long. You can use capital and lowercase letters, punctuation, symbols and even spaces!

  1. Remember Baby Monitors and Smart Appliances When Protecting Personal Information

The smarter our baby monitors and home products become, the more diligent we need to be about protecting them. After stories about hacked baby monitors were published, parents began to worry about protecting their children and themselves.

Fortunately, companies today offer high-security, password-protected mobile streams to parents’ smartphones to enhance privacy and provide an extra layer of security.

Homeowners also should consider smart appliances when thinking about protecting personal information. Some smart home products are easy to hack, which puts your home Wi-Fi network and confidential data at risk. The best thing you can do is use our previous advice for securing your home network, including disabling the guest network access, consistently changing passwords and creating two different Wi-Fi networks – one for computers, tablets and smartphones and another for smart appliances and devices. You also can disable remote management of your smart devices and only connect them to your network when using them.

You need to secure your personal information just as you secure your home. Lock down your confidential data by keeping home security cameras away from your home desk and computer screens and encrypting and password-protecting your home Wi-Fi network. It’s also important to keep baby monitors and other smart devices in mind when thinking about hacking risks.

Monero Miner Sends Cryptocurrency to North Korean University

The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.

AlienVault's security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.

The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.

“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.

North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.

“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.

On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.

In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.