Steve Morgan, Editor-In-Chief
On May 14, 2016 at 2:46pm EST, Cybersecurity expert John McAfee and a team of four other hackers, using their own servers located in a remote section in the mountains of Colorado, were able to read an encrypted WhatsApp message.
The big news that followed? McAfee tried tricking reporters into thinking he hacked WhatsApp’s encryption. Although, that is not at all what happened. One article went so far as opening with “John McAfee, noted liar…”. Apparently some people took offense to the word ‘hacked’.
‘Hacked’ was in fact used in the blog which announced what occurred — but McAfee didn’t write the blog post (WIRED says McAfee published the article), nor did he claim any type of hack of WhatsApp’s encryption. As the blog reported, McAfee went out of his way to point out WhatsApp was not to blame. The cyber section of law.com defines hacking as the practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator’s original objective. Hacked doesn’t necessarily mean hacked code, although it could. Hacked in this story means a message that was supposed to be secure and unreadable, was read.
McAfee claimed to have discovered a serious design flaw within the Android operating system that allowed his team to access virtually everything happening within all Android devices.
Today, McAfee came forward with an explanation of the “hack”. Wait a second — not hack, uh… vulnerability. Maybe there’s even gentler word to use. Definitely don’t want to get the media all riled up again. Intent of this part II blog is to hear it from the horse’s mouth.
“The vulnerability in Android is that the “Download Unauthorized Apps” can be set by a website “drive by”, and a subsequent “click through” can force the download. Our app then does a keyboard overlay so that a modified version of MSpy can work with WhatsApp. You can verify that MSpy alone will not work with WhatsApp.”
“We took a standard keylogger that did not require root access, but also did not work with Whatsapp, and modified it, using a different keyboard overlay and a different means of log transmissions, so that we could remotely receive the keystroke inputs.
We then placed this app on a website that had been modified so that any access to the website resulted in the user’s android device having the “Download Unauthorized Applications” flag set so to “Yes”. The subsequent click-through caused the app to be downloaded and activated on the user’s phone. This is only one of dozens of methods that could be used to plant the application. The most common means would be to embed the app within a game program, a flashlight app, or any number of simple programs which could be easily written and placed on Google Play.”
So, what’s the point? “The entire point of my team’s demo is about “What Malware Can Do”. Almost everyone has some kind of malware on their phone. Whenever you download an app that asks for excessive permissions you have downloaded an app that is collecting information about you that it does not need in order to perform its “avowed” functions. This is a type of malware. When someone does a “drive by” of a porn site or other questionable website, malware has likely been installed to steal something from you. Phishing schemes install malware that now even encrypts your data and demand money to decrypt it. No-one denies this.”
McAfee does have a way of getting reporters rankled, and he knows it. “When I demonstrate malware that allows a person to read a communication that the user believes was secure, then the world comes unglued.” Did McAfee not share a hack — oops vulnerability — that can potentially be helpful for Google, WhatsApp, and end-users to know about?
In closing, McAfee stands by his hack — darn it again… vulnerability. “We, as users, have been lulled into a false sense of security by the idea of “encrypted communications”. It doesn’t matter how secure an encryption technique may be, if someone a few thousand miles away is able to read the message prior to encryption or after the message has been decrypted, by using a simple app that can be embedded in a game which the user downloads, planted through a phishing technique or placed on the phone by simply accessing a website. This, I believe, is what we have clearly demonstrated.”
McAfee did not say if he spoke with Google regarding the vulnerability. Cybersecurity Ventures checked with a VP responsible for security at Google, and there is no response as of yet.
Cybersecurity Ventures wants to be very clear — John McAfee did NOT come to us with pre-cooked phones and then change his story, as some media reported. Rather, McAfee came to us with what he claimed was an Android vulnerability which rendered a WhatsApp message less secure than it should have been. Then he put us in touch with a third party mobile forensics firm — LIFARS (who we verified did not know or ever speak with McAfee prior to the WhatsApp incident) — to help verify his claims.
— Steve Morgan
Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.