nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphone

Need to snoop on chatter? Forget math, just exploit a bug

By Shaun Nichols, 26 Jul 2017

Police in Germany will forego seeking decryption keys for secure messaging apps, like WhatsApp, and instead simply hack devices to snoop on suspects.

Given the grumblings coming from Australia, the UK, and other Five Eyes states about encrypted messaging, we suspect these nations will follow suit – if they're not there already.

While everyone freaks out about strong encryption, and how you can't change the laws of math to only allow the good guys to decrypt messages, don't forget: if crypto can't be tamed, the authorities will just exploit software and firmware bugs to compromise targets' phones, PCs and tablets.

When politicians talk of mandatory backdoors, this is probably what they mean: not necessarily backdoors in the cryptography, but back passages into suspects' software and apps.

According to leaked documents from the German Interior Ministry this week, the Euro nation's authorities will use a new version of remote communication interception software (RCIS) – better known as spyware – to pull communications directly from targets' devices, rather than intercepting and decrypting traffic.

It is claimed the updated RCIS tools can be covertly installed on PCs and handsets, silently hijacking the gear so that communications can be monitored after they've been received and decrypted.

Dubbed "RCIS 2.01," the toolkit is slated for release later this year, and works with desktop and mobile operating systems – including iOS, Android and Blackberry. It can access chats in WhatsApp and Telegram, we're told. Exactly how this spyware lands on a device is not clear: we imagine it can be physically installed, smuggled in an app or other download, injected wirelessly via a baseband or operating system exploit, or similar.

As broadcaster Deutsche Welle notes, thanks to a law passed last month, German police have the authority to hack and install software on the handsets and desktops of people they suspect to be terrorists.

Of course, governments keep a secret stash of bugs to exploit. The US and its Five Eyes allies have a suite of zero-day vulnerabilities and intrusion tools to attack handsets and desktops in order to eavesdrop on targets.

With government officials still struggling to convince the public of the need to give law enforcement the ability to decrypt communications on demand, the report out of Germany may well point the way toward future efforts to thwart encrypted chat apps. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing