Messaging Apps (Telegram, WhatsApp and more), how hackers bypass encryption

Criminals need secure communications to escape surveillance. Today, instant messaging applications could be a fit tool. However, hackers or investigators can bypass their encryption systems.

Security services: Encryption and Perfect Forward Secrecy (PFS)

Almost all the encrypted messaging applications offer services of:

  1. End-to-end encryption and, additionally
  2. Perfect Forward Secrecy (PFS).

The end-to-end encryption

The end-to-end encryption allows encrypting a message making it readable to the only recipient. It will still be encrypted for other people, other devices, and even the same application system. It should protect the messages from external observers.

Perfect Forward Secrecy (PFS)

The PFS usually makes the encryption unique for every message through a one-time code (a so-called “ephemeral key” generated for each execution). If a message could be intercepted and decrypted, the past messages should be secured as they used a different code.

Some applications allow to self-destruct the messages after a certain amount of time: Telegram, Signal, Viber, Facebook Messenger, Dust, Pryvate Now, Wickr.

Some messaging apps

Messaging App and their vulnerabilities

Instant messaging applications are a lot, but they are distinct one from another.

Telegram raised some doubts about its encryption. It doesn’t settle the end-to-end encryption by default for every message or user.

WhatsApp should be safer. It uses a protocol reviewed and endorsed by leading security experts: the Signal encryption protocol (beyond the protocol, Signal company also has its instant messaging service).

However, the same protocol, Signal, was used by another secure software, Encrochat: police finally held the communications shared with this program. Because of that, the company ceased operations in 2020.

Encrochat was based in Europe, and it was not a canonical application but a “secure phone” company (others were the Canadian Phantom Secure, which closed in 2018, and the US Anom, created by the FBI to infiltrate criminal syndicate, which ran between 2018 and 2021).

Encrochat service was initially developed for celebrities who feared hackers could read their communications. Yet, it has been used chiefly by criminals. As the journalist Joseph Cox explained in his investigations, Encrochat sold encrypted phones made by the same company. Android devices were modified, removing the phone’s GPS, camera, and microphone functionality. Then, Encrochat installed their encrypted messaging program on the phones. “The company sold the phones on a subscription-based model, costing thousands of dollars a year per device”, according to Cox.

The messages were encrypted on the devices so that police couldn’t make standard interceptions. However, the authorities used malware (malicious software gaining unauthorised access to the systems) to control the device itself, reading the messages stored on the mobile phone before encryption or after decryption. As a result, thousands of arrests were reported in 2020 in the UK, Norway, Sweden, France, and the Netherlands for severe crimes (international drug shipments and drug labs, murders, extortions, grave assaults and hostage-takings).

It’s the same technique used by malicious hackers who wants to hack a messaging application account. Legit users install the malware in the systems after being deceived. For example, the users download malware disguised as an updating program. It allows the hacker to enter devices’ functionality and read otherwise encrypted messages.

Although the message’s contents are not ordinarily visible, the app companies can share the metadata of a communication (time and date, even a user’s address book) with authorities. In November 2021, Property of the People, a Washington, D.C.-based nonprofit transparency group, received an FBI document via a FOIA. It details the FBI’s ability to legally obtain data from messaging Apps companies.