When encryption does not help: tell about physical access to the device
In February, we published an article, “Not a single VPN. A cheat sheet on how to secure yourself and your data. ” One comment prompted us to write a continuation of the article. This part is a completely autonomous source of information, but still recommend that you familiarize yourself with both posts.
The new post is devoted to the issue of data security (correspondence, photos, videos, that's all) in the messengers and the devices themselves, which are used to work with applications.
')
Telegram
Back in October 2018, first-year college student Wake Technical Nathaniel Sachi was able to find that Telegram messenger stores messages and media files on a local computer disk in open form.
The student was able to access his own correspondence, including text and pictures. For this, he studied the application databases stored on the HDD. It turned out that the data is hard to read, but not encrypted. And access to them can be obtained even if the user has set a password on the application.
In the obtained data, the names and telephone numbers of the interlocutors were found, which, if desired, can be compared. Information from closed chats is also stored in the clear.
Later, Durov said that this was not a problem, because if an attacker has access to a user's PC, he can get the encryption keys and decode the entire correspondence without any problems. But many information security experts claim that this is still serious.
In addition, Telegram was vulnerable to theft of keys, which was discovered by the user Habr. You can hack the local code password of any length and complexity.
Whatsapp
As far as is known, this messenger also stores data on a computer disk in unencrypted form. Accordingly, if the attacker has access to the user's device, then all data is also open.
But there is a more global problem. Now all backups from WhatsApp installed on Android OS devices are stored on Google Drive, which Google and Facebook agreed on last year. But backups of correspondence, media files and the like are stored in unencrypted form . As far as can be judged, security officials of the same US have access to Google Drive , so there is a possibility that security officials can view any stored data.
You can encrypt data, but both companies do not. Probably, simply because backups without encryption can be transferred and used by users without any problems. Most likely, there is no encryption, not because it is difficult to implement technically: on the contrary, backups can be protected without any difficulty. The problem is that Google has its own reasons for working with WhatsApp - the company supposedly analyzes the data stored on Google Drive servers and uses it to display personalized ads. If Facebook had suddenly introduced encryption for WhatsApp backups, Google would have instantly lost interest in such a partnership, losing a valuable source of data about WhatsApp user preferences. This, of course, is only an assumption, but very likely in the world of hi-tech marketing.
As for WhatsApp for iOS, the backups are saved in the iCloud cloud. But here, too, information is stored in an unencrypted form, which is stated even in the settings of the application. Whether Apple analyzes this data or not is known only to the corporation itself. True, the Cupertini no advertising network, like Google, so we can assume that they are less likely to analyze the personal data of WhatsApp users.
All this can be stated as follows - yes, not only you have access to your WhatsApp correspondence.
TikTok and other messengers
This short video sharing service could very quickly become popular. The developers promised to ensure the complete security of their users' data. As it turned out, the service itself used this data without notifying users. Worse, the service collected personal data of children under 13 without parental consent. Personal information of minors - names, e-mail, phone numbers, photos and videos were made publicly available.
The service was fined several million dollars, regulators also demanded to remove all videos shot by children under 13 years of age. TikTok complied. Nevertheless, the personal data of users is used by other messengers and services for their own purposes, so one cannot be sure of their safety.
This list can be continued indefinitely - most instant messengers have one or another vulnerability that allows attackers to listen on users (a great example is Viber, although everything seems to be fixed there) or to steal their data. In addition, almost all applications from the top 5 store user data in an unprotected form on the hard disk of the computer or in the phone's memory. And this is if you do not remember the special services of various countries, which can have access to user data thanks to the law. The same Skype, VKontakte, TamTam and others provide any information about any user requested by the authorities (for example, the Russian Federation).
A few years ago, a conflict broke out between Apple and the US government. The corporation refused to unlock the encrypted smartphone, which was involved in the case of the terrorist attacks in the city of San Bernardino. Then it seemed a real problem: the data was well protected, and it was either impossible or very difficult to hack a smartphone.
Now things are different. For example, the Israeli company Cellebrite sells a software and hardware complex to legal entities in Russia and other countries, which allows hacking all iPhone and Android models. Last year, an advertising booklet was published with relatively detailed information on this topic.
Magadan forensic investigator Popov hacks smartphone using the same technology that the US Federal Bureau of Investigation. Source: BBC
It is worth the device by state standards cheap. For UFED Touch2, the Volgograd Department of the TFR paid 800 thousand rubles, Khabarovsk - 1.2 million rubles. In 2017, Alexander Bastrykin, head of the Investigative Committee of the Russian Federation, confirmed that his department was using the decisions of an Israeli company.
Sberbank also buys such devices - though not for investigations, but to combat viruses on Android devices. “If mobile devices are suspected of being infected with an unknown malicious program code and after obtaining the mandatory consent of the owners of infected phones, analysis will be performed to search for constantly emerging and changing new viruses using various tools, including using UFED Touch2,” the company said .
Americans also have technologies that allow hacking any smartphones. The company Grayshift promises to hack 300 smartphones for 15 thousand US dollars (this is $ 50 per unit versus $ 1500 for Cellbrite).
It is likely that cybercriminals have similar devices. These devices are constantly being improved - size decreases, productivity increases.
Now we are talking about more or less well-known phones of major manufacturers who are concerned about protecting the data of their users. If we are talking about smaller companies or non-organizations, in this case, the data are removed without problems. HS-USB mode works even in cases where the bootloader is locked. Service modes, as a rule - "back door", through which you can extract data. If not, you can connect to the JTAG port or even remove the eMMC chip, then insert it into an inexpensive adapter. If the data is not encrypted, you can remove everything from the phone, including authentication tokens, which provide access to cloud storage and other services.
If someone has a personal access to a smartphone with important information, then you can hack it, no matter what the manufacturers say.
It is clear that all this applies not only to smartphones, but also computers with laptops on different operating systems. If you do not resort to advanced protective measures, and be content with conventional methods like a password and login, the data will remain in danger. An experienced hacker with physical access to the device will be able to get almost any information - it is only a matter of time.
On Habré, the issue of data security on personal devices was touched more than once, so we will not reinvent the wheel again. We indicate only the basic methods that reduce the likelihood of third-party obtaining of your data:
Let's take a look at your ways in the comments to help reduce the likelihood of hacking data when a third party gains access to a physical device. We will then add the proposed methods to the article or publish it in our telegram channel , where we regularly write about security, life hacking on the use of our VPN and Internet censorship.
The new post is devoted to the issue of data security (correspondence, photos, videos, that's all) in the messengers and the devices themselves, which are used to work with applications.
')
Messengers
Telegram
Back in October 2018, first-year college student Wake Technical Nathaniel Sachi was able to find that Telegram messenger stores messages and media files on a local computer disk in open form.
The student was able to access his own correspondence, including text and pictures. For this, he studied the application databases stored on the HDD. It turned out that the data is hard to read, but not encrypted. And access to them can be obtained even if the user has set a password on the application.
In the obtained data, the names and telephone numbers of the interlocutors were found, which, if desired, can be compared. Information from closed chats is also stored in the clear.
Later, Durov said that this was not a problem, because if an attacker has access to a user's PC, he can get the encryption keys and decode the entire correspondence without any problems. But many information security experts claim that this is still serious.
In addition, Telegram was vulnerable to theft of keys, which was discovered by the user Habr. You can hack the local code password of any length and complexity.
As far as is known, this messenger also stores data on a computer disk in unencrypted form. Accordingly, if the attacker has access to the user's device, then all data is also open.
But there is a more global problem. Now all backups from WhatsApp installed on Android OS devices are stored on Google Drive, which Google and Facebook agreed on last year. But backups of correspondence, media files and the like are stored in unencrypted form . As far as can be judged, security officials of the same US have access to Google Drive , so there is a possibility that security officials can view any stored data.
You can encrypt data, but both companies do not. Probably, simply because backups without encryption can be transferred and used by users without any problems. Most likely, there is no encryption, not because it is difficult to implement technically: on the contrary, backups can be protected without any difficulty. The problem is that Google has its own reasons for working with WhatsApp - the company supposedly analyzes the data stored on Google Drive servers and uses it to display personalized ads. If Facebook had suddenly introduced encryption for WhatsApp backups, Google would have instantly lost interest in such a partnership, losing a valuable source of data about WhatsApp user preferences. This, of course, is only an assumption, but very likely in the world of hi-tech marketing.
As for WhatsApp for iOS, the backups are saved in the iCloud cloud. But here, too, information is stored in an unencrypted form, which is stated even in the settings of the application. Whether Apple analyzes this data or not is known only to the corporation itself. True, the Cupertini no advertising network, like Google, so we can assume that they are less likely to analyze the personal data of WhatsApp users.
All this can be stated as follows - yes, not only you have access to your WhatsApp correspondence.
TikTok and other messengers
This short video sharing service could very quickly become popular. The developers promised to ensure the complete security of their users' data. As it turned out, the service itself used this data without notifying users. Worse, the service collected personal data of children under 13 without parental consent. Personal information of minors - names, e-mail, phone numbers, photos and videos were made publicly available.
The service was fined several million dollars, regulators also demanded to remove all videos shot by children under 13 years of age. TikTok complied. Nevertheless, the personal data of users is used by other messengers and services for their own purposes, so one cannot be sure of their safety.
This list can be continued indefinitely - most instant messengers have one or another vulnerability that allows attackers to listen on users (a great example is Viber, although everything seems to be fixed there) or to steal their data. In addition, almost all applications from the top 5 store user data in an unprotected form on the hard disk of the computer or in the phone's memory. And this is if you do not remember the special services of various countries, which can have access to user data thanks to the law. The same Skype, VKontakte, TamTam and others provide any information about any user requested by the authorities (for example, the Russian Federation).
Good protocol level security? Not a problem, we break the device
A few years ago, a conflict broke out between Apple and the US government. The corporation refused to unlock the encrypted smartphone, which was involved in the case of the terrorist attacks in the city of San Bernardino. Then it seemed a real problem: the data was well protected, and it was either impossible or very difficult to hack a smartphone.
Now things are different. For example, the Israeli company Cellebrite sells a software and hardware complex to legal entities in Russia and other countries, which allows hacking all iPhone and Android models. Last year, an advertising booklet was published with relatively detailed information on this topic.
Magadan forensic investigator Popov hacks smartphone using the same technology that the US Federal Bureau of Investigation. Source: BBC
It is worth the device by state standards cheap. For UFED Touch2, the Volgograd Department of the TFR paid 800 thousand rubles, Khabarovsk - 1.2 million rubles. In 2017, Alexander Bastrykin, head of the Investigative Committee of the Russian Federation, confirmed that his department was using the decisions of an Israeli company.
Sberbank also buys such devices - though not for investigations, but to combat viruses on Android devices. “If mobile devices are suspected of being infected with an unknown malicious program code and after obtaining the mandatory consent of the owners of infected phones, analysis will be performed to search for constantly emerging and changing new viruses using various tools, including using UFED Touch2,” the company said .
Americans also have technologies that allow hacking any smartphones. The company Grayshift promises to hack 300 smartphones for 15 thousand US dollars (this is $ 50 per unit versus $ 1500 for Cellbrite).
It is likely that cybercriminals have similar devices. These devices are constantly being improved - size decreases, productivity increases.
Now we are talking about more or less well-known phones of major manufacturers who are concerned about protecting the data of their users. If we are talking about smaller companies or non-organizations, in this case, the data are removed without problems. HS-USB mode works even in cases where the bootloader is locked. Service modes, as a rule - "back door", through which you can extract data. If not, you can connect to the JTAG port or even remove the eMMC chip, then insert it into an inexpensive adapter. If the data is not encrypted, you can remove everything from the phone, including authentication tokens, which provide access to cloud storage and other services.
If someone has a personal access to a smartphone with important information, then you can hack it, no matter what the manufacturers say.
It is clear that all this applies not only to smartphones, but also computers with laptops on different operating systems. If you do not resort to advanced protective measures, and be content with conventional methods like a password and login, the data will remain in danger. An experienced hacker with physical access to the device will be able to get almost any information - it is only a matter of time.
So what to do?
On Habré, the issue of data security on personal devices was touched more than once, so we will not reinvent the wheel again. We indicate only the basic methods that reduce the likelihood of third-party obtaining of your data:
- It is imperative to use data encryption on both a smartphone and a PC. Different operating systems often provide good default tools. An example is the creation of a cryptocontainer in Mac OS by regular means.
- Set passwords everywhere and everywhere, including the history of correspondence in Telegram and other instant messengers. Naturally, passwords must be complicated.
- Two-factor authentication - yes, it can be inconvenient, but if the security issue comes first, you have to accept it.
- Control the physical security of your devices. Take a corporate PC in a cafe and forget it there? Classic. Safety standards, including corporate, are written by tears of victims of their own negligence.
Let's take a look at your ways in the comments to help reduce the likelihood of hacking data when a third party gains access to a physical device. We will then add the proposed methods to the article or publish it in our telegram channel , where we regularly write about security, life hacking on the use of our VPN and Internet censorship.
Source: https://habr.com/ru/post/448708/
All Articles