Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism
By: Gabriel K. Gegenhuber , Philipp É. Frenzel , Maximilian Günther and more
Potential Business Impact:
Breaks WhatsApp's secret message protection.
WhatsApp, the world's largest messaging application, uses a version of the Signal protocol to provide end-to-end encryption (E2EE) with strong security guarantees, including Perfect Forward Secrecy (PFS). To ensure PFS right from the start of a new conversation -- even when the recipient is offline -- a stash of ephemeral (one-time) prekeys must be stored on a server. While the critical role of these one-time prekeys in achieving PFS has been outlined in the Signal specification, we are the first to demonstrate a targeted depletion attack against them on individual WhatsApp user devices. Our findings not only reveal an attack that can degrade PFS for certain messages, but also expose inherent privacy risks and serious availability implications arising from the refilling and distribution procedure essential for this security mechanism.
Similar Papers
Automated Side-Channel Analysis of Cryptographic Protocol Implementations
Cryptography and Security
Finds hidden WhatsApp privacy flaws and attacks.
Supporting Socially Constrained Private Communications with SecureWhispers
Cryptography and Security
Shaking phones creates secret codes for private talks.
Synopsis: Secure and private trend inference from encrypted semantic embeddings
Cryptography and Security
Lets researchers study private messages without reading them.