We reported earlier this week that two Spanish security experts claimed to be able to fake messages, and WhatsApp CEO Jan Koum spoke to me, explaining that they had not cracked its server security in doing so.
It appears to us that they hacked into their own phone and altered messages after they were received (free from tampering) from the WhatsApp servers. We do not have evidence they have demonstrated … the ability to send a fake impersonating message to another WhatsApp user.
Softonic’s Sirag Nabih spoke to Pablo San Emeterio and Jaime Sánchez, who explained exactly how they sent fake messages. Koum is right to say they didn’t hack WhatsApp servers, but they have shown they can intercept a message before it reaches a device, and change the contents of that message.
Koum is also correct to say that the fake messages arrived on their own phones. Emeterio and Sánchez’s method requires the WhatsApp authentication code you receive as an SMS when you join WhatsApp. With this code, they can make your phone receive fake messages.
WhatsApp generates four security keys from the authentication code, and Emeterio and Sánchez have worked out how to calculate these keys. With these four keys, the duo can intercept a message between WhatsApp servers and the target phone, alter the content of the message, and the target device will then believe the message is genuine. They say there is no way to prove the message is fake.
In being able to falsify the verification codes that WhatsApp requires to recognize a message as genuine, Emeterio and Sánchez have found a weakness in the security of the messaging system, although it’s not one that can be easily exploited yet.
WhatsApp officially don’t store data in their servers, so it would be theoretically impossible to find evidence of the original message. While it’s a complicated process, the fact that messages can be faked on a phone could have effects in countries where WhatsApp messages are admissible in courts of law.
