Are the mobile messengers secure?

Are the mobile messengers secure?

We live in times when information has become the highest value good. Access and the ability to use key data allows you to effectively compete in the market, conduct policy, and even win wars (and without firing a single shot). The possibilities of information manipulation are equally valuable, both at the public level (fake news) and in business relations.
Operating as an information society, we still stick to our habits and beliefs from the real world. We naively assume the good will of the sender of the message and assign him the most likely identity. That is why phishing, primitive in its technological dimensions, remains a common cybercriminals’ tool. such a common cybercriminals’ tool remains primitive in its technological dimension phishing. It is enough to construct an appropriately reliable-looking email to convince the recipient to open the attachment in which the malicious virus code is hidden. Or – even more intriguing – as part of the “method for CEO”, i.e. Business Email Compromise, do not attach malware at all, just convince the accountant to transfer huge amounts to an arbitrarily selected account, because additional funds are needed during a delegation in China to close the transaction. All you have to do is reach out to the recently famous case of the Cenzin defense company belonging to PGZ, from which almost 4 million zlotys flowed out in this way.

Email is one of the oldest ways to communicate on the internet. It remains in intensive use despite its obvious disadvantages. The risks listed above result from the inability to reliably confirm the sender’s identity. The recipient simply has to believe (and does so willingly) that the person mentioned in the message header is actually the president, shipping company, tax office etc. Especially that criminals can very easily prove themselves by using tricks such as deceptively similar names or letters from extended Unicode sets that look identical to commonly used ones. And as a last resort, they simply take control of the account used to manipulate the recipient and simply send emails from a real source.

When the shipment leaves the sender’s computer, it goes through a number of intermediate systems. Here, other risks arise related to the confidentiality of correspondence and its integrity. It is easy to imagine the scenarios in which the commercial offer was correctly assigned by an authorized person, but along the way someone gained access to it, learned the content and e.g. changed the value to make it unattractive to the customer. Manipulating content in this way, a competitor has a chance to take over a lucrative contract, and a losing company may never even know how it happened.

Email has one more feature that makes it less and less adaptable to our times. It is asynchronous in nature: we send a letter, but we do not know when it was read and it remains for us to wait until the recipient decides to answer. It can take hours or days, and in this way it is impossible to negotiate or design arrangements.

That is why we are observing the growing popularity of instant messengers, which provide opportunities for instant exchange of information both between two people, but also in larger groups. They give the impression of a real conversation with its dynamics and the ability to react quickly to a changing situation. However, they are not the answer to email security problems.
For a very long time, most conversations were conducted in open text, with no chance to encrypt, hide content and protect it against third-party interference. Some manufacturers have tried to patch this deficiency by encrypting the communication channel between the user and the service provider’s server (VPN technologies). This gives our privacy protection comparable to mobile telephony. However, it should be remembered that in this approach the service provider has full access to the content of our conversations and sent documents. This opens up a completely new category of threats, where the adversary gaining access to the service provider’s systems has full insight into our content. At the same time, it can be done under the auspices of the law, which in many countries even requires operators to make their systems available to special services.

It is only recently that messengers have appeared that allow for end-to-end encryption. This means that the content is already protected on the sender’s device and can only be read by the final recipient.

It would seem that this is a panacea for communication problems, but the situation is not so obvious. First of all, many messengers (e.g. Telegram) do not encrypt messages by default. You must explicitly switch to secure communication mode to take advantage of the security offered. This, in turn, makes it difficult to determine whether we are in a public channel or in a private one. It’s easy to make a mistake and send confidential information in a readable way for bystanders.

In addition, many doubts arise as to the quality of the security itself. Source code is either not available for verification by independent institutions or it is confusing to the extent that it cannot be analyzed effectively. The authors’ connections with the special services of specific countries, not necessarily friendly to our country, not to mention.

Commonly used messengers like WhatsApp most often have an affiliation with large Internet companies (in this case Facebook), whose business model is based on collecting as much information about users as possible. It is very difficult to believe that in this one case they make an exception. And if we combine it with harassing Facebook with massive data leaks, fairly frivolous treatment of user data and ethically questionable practices of sharing their systems with third parties (the case of Cambridge Analytica), the level of trust is rapidly decreasing. This more that plans have recently been announced for connecting the infrastructure, and therefore also the client applications themselves, WhatsApp, Instagram and Messenger. Additional risks and information leaks will be inevitable here, including the ability to place a new infrastructure of special services implants and criminal groups in users’ control that allows for continuous and invisible surveillance.
We must also remember that the foundation for effective encryption of information is the prior exchange of cryptographic keys between the parties. This event is then the basis for confirming the identity of the other party and maintaining confidentiality of communications through systematic key exchange. The systems offered here also leave a lot to be desired. We have already witnessed a scandal with the possibility of swapping keys in WhatsApp without the user’s awareness, and under the control of a spy organization. The mechanism offered by Signal and Telegram based on a mobile phone number and identity previously confirmed by the telecommunications operator is also easy to fool if the adversary has access to the operator’s infrastructure. This has already been demonstrated two years ago by Positive Technologies researchers from Russia, and the gaps that allow this type of attack to be carried out are still present in the global telecommunications infrastructure.

Exchange ideas based on the concept of certificate authority is now also obsolete. Everyone can generate absolutely free certificate recognized by all client programs and describing an arbitrarily chosen identity. Under Let’s Encrypt, most of the generated certificates are used to commit crimes. For example, last year alone, more than 85,000 relied on domains with deceptively similar PayPal names, which of course indicates their intended use for phishing. Therefore CA is also not a way to confirm your identity and exchange keys.

The value of the information provided is increasing dramatically. Regardless of whether we are talking about ordinary business, politics or extremely confidential matters. This applies to law firms working on contracts of exceptional weight, manufacturing companies protecting their intellectual property, banks, where money is obviously associated with information, whether governmental institutions, but also each of us personally. Entrusting information security to operators that we have doubts about the quality of services rendered is simply reckless. There is no return to e-mail because of its “antiquity” and defects that we will not eliminate. It seems inevitable that a new solution will appear on the market that will allow secure, confidential communications independent of third parties to be implemented, which will also be ergonomic and easy to implement even for those without technical knowledge.

Author: Michał Jarski