Tests performed by The H's associates at heise Security have found that popular texting alternative WhatsApp is easily hacked using freely available tools. Anyone using WhatsApp on a public Wi-Fi network risks having their data sniffed and their account used to send and receive messages. Once hacked, there is no way to restore account security – attackers will be able to continue to use the hacked account at their discretion.

Over the last week the lack of security inherent in WhatsApp's authentication has gradually become clear. Researchers have discovered that the client uses an internally generated password to log on to the server; this password is generated on Android devices from the device's serial number (IMEI) and on iOS devices from the MAC address of the Wi-Fi interface. The problem with this is that the information is anything other than secret – the IMEI can often be found on stickers inside of Android phones (usually under the battery) and can also be obtained using a shortcut key combination or by any app.

Sniffing this data is even easier when it comes to devices running iOS – the MAC address is visible to anyone within range of the Wi-Fi network being used. If this is a public Wi-Fi network, in a busy coffee shop, for example, data sniffers can even determine the user's phone number from the data packet transmitted by WhatsApp. Taking over the account is child's play – attackers don't even need to know who their victim is. The whole situation is even less understandable considering that there is already a shared secret between WhatsApp and the user in the form of a confirmation code sent by text message when the user first registers.

In tests, heise Security found that, with the help of WhatsAPI, the PHP-based WhatsApp API, it was possible to take over both Android and iOS WhatsApp user accounts. And doing so was shockingly easy. All attackers have to do is to enter the phone number and MAC address or IMEI into a script and they are then able to send whatever messages they like from the compromised account. The sender is reported as the compromised user's phone number.

The script also offers a conversation mode which allowed heise Security to both send and receive messages. Sent messages are not visible on the account owner's phone and, as long as the script is running, neither are the responses received.

The experiment shows that, as things stand, WhatsApp should be used with caution. To avoid making it easy for data sniffers, iPhone users should refrain from using it on public networks. There appears, however, to be no way of preventing people immediately around you, such as workmates, from taking over your account, as obtaining your phone number and IMEI or MAC address is generally a simple matter.

Once an account has been compromised, there is no remedy – there is currently no way of changing your password and thereby blocking the attacker. WhatsApp now needs to step up to the plate and start protecting its users.

There are also indications that WhatsApp may have been equally lax in designing the algorithm it uses to generate keys for encrypting messages. An anonymous, so far unconfirmed, report claims that, at least for the iOS version of the app, the key is easily determined.

(fab)