Steve Morgan, Editor-In-Chief
McAfee broke the hack news to Cybersecurity Ventures by phone, and followed with an email to us providing details of the feat.
The WhatsApp message was exchanged between two cooperating researchers located at the New York City headquarters office of LIFARS, a cyber intelligence and digital forensics firm with deep domain experience in the mobile security field. A tiny app written by McAfee’s team was downloaded onto two brand new Android phones which were used for the message exchange.
The message was written and exchanged yesterday at 2:45pm EST in New York, and roughly one minute later it was read by McAfee and his hacking team in Colorado.
WhatsApp touts powerful security on the FAQs page of its website, which states “Privacy and security is in our DNA, which is why we have end-to-end encryption in the latest versions of our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”
When asked who was to responsible for the vulnerability, McAfee was quick to say WhatsApp should not be blamed, and the problem is with Google. He claims to have discovered a serious design flaw within the Android operating system that allowed his team to access virtually everything happening within all Android devices.
McAfee would only reveal the identity of one hacker on his team — Chris Roberts, who was formerly founder of One World Labs, Inc., a Denver, Colo. based cybersecurity firm which filed for bankruptcy according to a story in The Wall Street Journal. A CNN story last year reports Roberts told the FBI he hacked into commercial jetliners on numerous occasions and even took control of an aircraft engine on a flight. Roberts told the Washington Post that he was only out to improve airline security.
Given the media coverage around the FBI’s investigation into Roberts, McAfee was asked about the motivations for attempting the WhatsApp message hack. “I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done” said McAfee. “The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?”
Ondrej Krehel, CEO at LIFARS — who acknowledged his firm did forensics on the phone — issued a memo indicating malware traces and related activities were found on the phones. The memo explains the phones suffered from both a spyware app and a keyboard recording vulnerability. Krehel said the compromise did not require rooting — the Android equivalent of jailbreaking — whereby a user unlocks the OS and installs unapproved apps and may perform other unauthorized actions which include updating the OS, replacing the firmware, and other which are unapproved by Google. LIFARS is keeping the memo under wraps until the Colorado hacking team has a chance to discuss the vulnerability with Google.
McAfee said he is open to dialogue with Google and WhatsApp in order to help remedy the vulnerability, and there would be no cost for his services. “This in no way was done for financial gain. This was my obligation to my tribe” said McAfee.
For anyone thinking about switching from WhatsApp to SnapChat, not so quick. McAfee said that as of this morning his team is now capable of demonstrating the same capability with SnapChat communications.
The “serious design flaw” in Android is the big issue at hand. McAfee declined to go on the record with exactly what the flaw is, and how his team was able to read the WhatsUp message… but he agreed to share the information after speaking with Google.
— Steve Morgan
Update: May 24, 2016 — Part II, McAfee tells how he did it
Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.