After Jeff Bezos’s phone was compromised by a malicious video sent via WhatsApp, it hopefully got all of you thinking about your own phone security and thinking how easily you could be hacked. There are lots of tools, tips and tricks to put in place to best protect WhatsApp’s two billion users from cybercriminals, but the truth is that if a threat actor is dedicated enough, there is little we can do other than to protect ourselves in the best way possible… and hope the attackers move on to less well-defended targets.
But when it comes to WhatsApp, is there anything else we can do to protect our account? The messages are already encrypted, meaning law enforcement individuals can’t probe into those private conversations directly, but is there another way in? The encryption key to a WhatsApp message is present in both devices being used in the conversation, so threat actors would need to get their hands on one or the other to read through those chatlogs.
This is where most readers may smugly nod to the fact that they use a complex PIN or a biometric entry to their devices. However, what if you could take control of someone’s account by just knowing their phone number? This is very much possible and scarily easy, but there are ways to reduce the risk and prevent this from happening to your account. I will describe these at the end of the blogpost.
So, WhatsTheProblem?
When you buy a new phone and install all your existing apps and settings, you restore from your backup, with WhatsApp requiring a code to be sent to a phone number. That code (usually sent to the device you are installing the app on) will validate the phone and you will be back into your chats. If you have a backup of the messages as well, they will appear up to the last time you backed up the device; if not, the names of the people and groups you are in conversation with will show without the messages.
This is where I noticed a potential flaw. Could I set up someone else’s WhatsApp account on a new device by simply grabbing the code sent to the target’s phone?
I decided to test my hypothesis with one of my colleagues last week (who is usually on the receiving end of my social engineering office antics but remains happy to participate). Note: Do not test this on anyone who has not explicitly provided prior permission!
Recently, I threw into our conversation that it’s always a good idea to back up your WhatsApp chats, just in case she didn’t, as I wouldn’t want her to lose them forever. A few days later, I used my spare phone and downloaded the app. It requested my phone number to verify the device it was to be installed on.
It wasn’t long before my colleague left her desk to make a coffee, leaving her phone in view on her desk, so I entered her phone number into my new WhatsApp account. Her phone instantly received a message (on silent) and I walked past her desk mentally noting the code. I typed it in the verification field on my spare phone … Et voilà – I had control of her account.
I could see all her chats in the app but no messages. To take my test to the next level I found a chat called “The Hunz”, to which I sent the message “Hey! Having a rubbish day… send memes!” to which I received a ton of funny responses from her unsuspecting friends.
When my colleague returned to her desk with her latte, she was oblivious to the fact that I was in a meme conversation with her friends as I chuckled away to myself. A few minutes passed until she looked at her phone and said out loud “That’s odd, I have received a code from WhatsApp for some reason”. I noticed her pensive look, but later I learned that all she did was delete it.
I then decided to come clean and I told her what had just happened. She could not believe how easy it had been to take over her account and felt there should be more security in place for typical users. She rightly mentioned that many people leave their phones unattended but think nothing of it, even in public places such as restaurants and bars. I soon reversed my movements to her phone and placed her back firmly in control of her account and then offered her advice on how to stop such an attack.
So, how can you stay safe?
Firstly, you should turn off previews in your SMS messages. This may sound obvious, but many people desire the convenience of looking at messages even more quickly. When people use two-step verification (also known as two-factor authentication) without an authenticator app, they tend to receive codes sent via SMS but if these can be viewed on a locked screen, they are somewhat pointless to a user who has left their phone unattended.
Therefore, secondly, you should never leave your phone or any device unattended. I have witnessed countless people on the train fall asleep with their phones left on the table or even pop to the bathroom whilst leaving their phones surrounded by strangers. Furthermore, there are many bad apples in companies so even if you trust your colleagues, there is always a chance someone else in the business could attempt this attack vector, so it’s best never to leave your device alone.
Finally, there is an even better way of protecting your account that needs to be completed right now. WhatsApp created its very own two-step verification for the app a few years ago, which is simple to follow and will stop this attack from succeeding. Below is the process of how to do it, so open the app and set it up!
How to set up two-step verification in WhatsApp
With the app open, head to Settings/Account/Two-Step Verification and click on Enable. Next, enter a six-digit code that you won’t forget.
Then enter your email address as an extra failsafe. Finally, you will see confirmation of two-step verification set up on your phone, so it will be far more difficult for someone to be able to hijack your account or transfer your messages to another device.
You’ll now be asked for the PIN at random times when you open WhatsApp. It isn’t every time you open the app, so it shouldn’t become an inconvenience.
It will, however, make you better prepared to enjoy safer technology.