Are you afraid that someone might spy on your conversations on WhatsApp? Would you like some advice on how to defend yourself against these types of threats? Then I think you've come to the right place at the right time.
Given also the numerous requests I received on the subject, today I decided to take care of privacy on WhatsApp: I will tell you about some of the main techniques used by attackers to intercept conversations on this very popular messaging service and, more importantly, you I will recommend some preventative measures to be taken to prevent someone from snooping on your account. So, are you ready to get started?
I'll tell you right away: luckily spy on WhatsApp messages it's not as easy as you read around (or at least it's not anymore), but woe to let your guard down! We must always be careful and follow all those common sense rules that allow us to carry out our digital activities in a reasonably quiet manner. If you want to better understand what I mean, keep reading, you will find everything explained below. We will begin to analyze all the threats we need to be on guard against and then we will see, together, what measures to take to avoid them. Enjoy the reading!
Sniffing delle ret wireless
One of the most "popular" spying techniques is the one that involves the "sniffing" of wireless networks with software such as Wireshark (which I also told you about in my tutorial on how to sniff a wireless network). The term "sniffing" indicates a monitoring activity of wireless networks that allows you to capture all the information that travels in the clear on the latter.
In the case of WhatsApp, sniffing could be used by an attacker to monitor the network to which the victim's smartphone is connected, but fortunately this technique should no longer work.
In fact, at the end of 2014, the developers of Open Whisper Systems announced a collaboration with WhatsApp that brought their end-to-end encryption (called TextSecure) within the famous messaging app. 1
End-to-end (point-to-point) encryption is a technology that allows you to protect information from unauthorized access using a dual key system: one public and one private. In the specific case of WhatsApp, the public key is shared with the interlocutor and allows you to encrypt outgoing messages. The private key, on the other hand, resides only on each user's smartphone and is used to decrypt incoming messages.
This means that messages depart from the sender's phone and arrive at the recipient's - via the WhatsApp servers - in an encrypted manner. The only ones able to decipher the contents are the owners of the keys used to generate them, that is the legitimate senders and recipients.
So WhatsApp is unassailable? Well, not really. End-to-end encryption potentially knocks out sniffing techniques, but unfortunately there are other "weapons" that attackers can deploy to spy on WhatsApp messages.
Furthermore, we must consider the fact that WhatsApp is a closed source software, that is, it is not possible to thoroughly analyze the source code, so we cannot know if the implementation of the end-to-end encryption has been carried out in a workmanlike manner. or less.
Moral of the story: the situation should be quiet enough, but you shouldn't let your guard down.
One of the biggest dangers to our WhatsApp accounts is currently represented by identity theft, ie from unauthorized access to our conversations through the "deception" of the authentication systems of the service.
Identity theft via WhatsApp Web
One of the simplest ways to steal someone's identity on WhatsApp is to take advantage of the feature Stay connected of WhatsApp Web, the service that allows you to send and receive WhatsApp messages on your PC using your mobile phone as a "bridge".
I also told you about it in my post on how to use WhatsApp on PC: to access WhatsApp Web, just frame the QR code that appears on your computer screen with your smartphone. After that, if you leave the check mark next to the item active Stay connected, the service works without the need for further authentication. As long as the mobile phone on which the original client is installed is connected to the Internet (it does not matter if on the same Wi-Fi network as the computer or on other networks).
What does this mean? That an attacker could steal your phone with any excuse, frame the WhatsApp Web QR code on his computer (or even on his tablet, using the desktop view mode included in many browsers) and access your messages without you notice.
Fortunately there is a solution to overcome this problem: by activating a protection system on your device through the use of biometric data, such as unlocking the device via the face or fingerprint, this system will be required, for confirmation purposes, including to access WhatsApp Web / Desktop.
Cloning of the MAC address
MAC address cloning is another rather refined technique that attackers can use to steal a user's identity on WhatsApp. It is still quite effective but its complexity, and above all the time necessary for its implementation, make it not very widespread.
The MAC address is a 12-digit code that uniquely identifies all devices capable of connecting to the Internet. It is also used by WhatsApp to verify the user's identity, so if it is disguised to appear the same as that of another phone it can be used to access other people's accounts.
To "clone" a person's MAC address, the attacker on duty must install ad-hoc applications on his smartphone (eg. BusyBox e Mac address ghost for Android, both of which require root). Then he must get hold of the smartphone from the victim, he must find out the MAC address (just consult the section Info menu of Android or iOS) and must set the same code on his phone.
When the operation is completed, the "spy" must install a new copy of WhatsApp on his smartphone, activate it with the victim's number and enter the verification code that arrives on the latter's phone. As mentioned, this is a rather long operation, not for everyone, but still to be known to avoid nasty surprises.
Please note: without the prior cloning of the MAC address, it is practically impossible to activate WhatsApp with another person's number. Or rather, it is possible but totally useless. The service, in fact, allows you to use only one smartphone for each phone number and therefore the legitimate owner of the account would just need to reactivate the application on their device to "cut the legs" of any spies (who among other things would be discovered immediately from the victim).
Another danger to be on guard against are the so-called spy-applications, apps that are installed directly on the smartphones of the people to be spied on and hide their presence.
Even parental control apps or anti-theft software can be configured to spy on the user and take screenshots of the smartphone. I told you about it in detail in my tutorial on how to spy on Android phones.
How to defend yourself
At this point you are surely wondering how to protect yourself from all these threats. Well, absolute security doesn't exist, but if you try to put into practice all the tips I'm about to give you you should be able to sleep reasonably soundly.
- Always use the most up-to-date version of WhatsApp - WhatsApp developers are constantly working on the security of their software. If you want to sleep relatively peacefully, then open the store of your smartphone and make sure you are using the latest version of the application.
- Use a secure PIN - if an attacker steals your smartphone but can't guess the PIN to access it, he can't do anything wrong. It is therefore essential that you have an unlock code in the lock-screen and that the latter is sufficiently complex (therefore difficult to guess).
- To set the PIN on Android go to the Settings menu> Security> Screen lock> PIN (or in Settings> Security> Screen lock> Pattern if you want to use a gesture instead of the numeric code).
- To set the PIN on iPhone go to the Settings menu> Touch ID and Passcode> Change code.
- Disable the display of SMS on the lock screen - another security measure you can take is disabling SMS notifications on the lock screen. In this way, if an attacker tries to activate WhatsApp with your phone number and wants to view the service verification code, he cannot succeed.
- To disable SMS in the Android lock screen, go to the Settings> Security> Lock Screen> PIN menu, set your PIN and choose to hide only sensitive content.
- To disable SMS in the iPhone lock screen, go to the Settings> Notifications> Messages menu and remove the tick from the Show in "Lock Screen" option.
- Controlla sessioni di WhatsApp Web - as mentioned above, someone could try to steal your identity using WhatsApp Web. To avoid this risk, go to the Settings> WhatsApp Web menu of WhatsApp and check all active sessions on your account. If there is any suspicious one, press the Disconnect from all computers button and any "spies" will lose the ability to access WhatsApp Web (as they will be asked to scan the QR code of the service again).
- Avoid public Wi-Fi networks - even if the “sniffing” of wireless networks is no longer as effective as it used to be, it is better to avoid public Wi-Fi networks. If you can, opt for your operator's 3G / LTE network.
- Listen to the advice of "mom" - if you want to avoid someone sticking their nose in your online conversations, listen to your mother's advice: don't lend your phone to strangers, don't leave your smartphone unattended for too long ... and don't be late at night! :)
- As some independent tests published online show, end-to-end encryption was initially applied only to the Android version of WhatsApp. On the other software platforms, an encryption system based on the RC4 algorithm was used, which is notoriously more vulnerable to attacks. Now, however, the situation should have changed, end-to-end encryption is slowly reaching all versions of WhatsApp. ↩︎