Why WhatsApp can be an unreliable witness for the prosecution

Hacking is not exactly the most exciting spectator sport. On a table sit two smartphones and a laptop computer, the screen of which is filled with illegible coding. Jaime Sánchez and Pablo San Emeterio, two programmers who are experts in cybersecurity, have just managed to hack WhatsApp, creating a new identity and sending a message to my smartphone. It’s discreet magic, but powerful; a small crack in a messaging service with half-a-billion users and daily traffic of 10 billion messages, and which was recently bought by Facebook for €14 billion. What these two hackers have just done is the 21st-century equivalent of breaking into a post office and creating fake registered letters from somebody who didn’t write them.

Sánchez and San Emerterio have just shown how easy it is to hack WhatsApp. This is how it works: under normal circumstances, a message from telephone A to telephone B using WhatsApp goes through a server and a system using four passwords that allows it to enter and leave. What our two hackers have done is get themselves into the middle of that process. The message goes through the WhatsApp domain, but before reaching telephone B it is intercepted. The hackers then use their computer to type in the name and phone number of the person they want to replace. When the message arrives at telephone B, this not only doesn’t reject it, but also there is no way of knowing that the sender’s identity has been interfered with. And as WhatsApp doesn’t store data on its servers, it is impossible to find the original sender. In under a minute, the hackers send three message from telephone A that reach B as though they had been sent from three different numbers: the real number, and the other two, which for the purposes of our story they have called “boss” and “ex” to highlight the growing legal problems that WhatsApp’s security failings present.

“We earn our living by looking for weaknesses that might be used by criminals against the security of private individuals or businesses,” says Sánchez, who, along with San Emeterio, has been working on WhatsApp’s weaknesses for a couple of years. Over that time they have discovered how to eavesdrop on conversations, they have deciphered passwords, created malicious messages that crash the recipient’s smartphone… All these weaknesses, which they have presented at international conferences, have subsequently been patched up by WhatsApp with varying degrees of success.

The experts have found a crack in a messaging service with half-a-billion users and daily traffic of 10 billion messages

But the company has yet to come up with a solution to the pair’s latest discovery. “Modifying the name of the sender of a message could have all sorts of implications, both on a day-to-day basis, as well as in the courts, relating to divorces, blackmail…” says San Emeterio: “For example, you could file a complaint against somebody for threatening you by providing false messages from somebody else’s phone seen as evidence.” As we’ve seen, all that is required is the number of the phone from which you wish to send the fake message.

The Softronic.com site, which has 125 million unique users per month, published Sánchez and San Emeterio’s work in March, prompting a reaction from Jan Koum, the founder of WhatsApp. Koum said that the Spanish pair had not compromised the security of the company’s servers, given that the message was changed when it reached the recipient. A spokesman for the company told EL PAÍS: “Security is a priority for WhatsApp.”

Not that the average WhatsApp user is going to have much idea of how to exploit this weakness, says Sánchez and Softronic. “It's not something that any normal user would be able to copy,” said Softronic at the time, warning in another article: “the fact that messages can be faked on a phone could have effects in countries where WhatsApp messages are admissible in courts of law.”

As WhatsApp doesn’t store data on its servers, it is impossible to find the original sender

In Spain, a Google search using the keywords “WhatsApp” and “sentencia” (court ruling) gives some idea of the potential scale of the problem. In July 2011, a court in Las Palmas in the Canary Islands, ratified a sentence for libel based in part on a WhatsApp conversation between the accused and the boyfriend of the person bringing the charge; in March 2013, four teenage girls in Vigo were ordered to pay fines of up to 200 euros for threatening another young woman who had joined their WhatsApp group; in November 2013, a man was given a 21-month jail term for sending 2,147 WhatsApp messages (as well as making 53 missed calls) to his former partner; in February 2014, the Supreme Court accepted as evidence in a drugs-smuggling case WhatsApp conversations between the accused; last month, a court in Pontevedra opened a case against a man who used WhatsApp to send messages about Civil Guard traffic checkpoints; and earlier this month, a judge looked at the transcriptions of WhatsApp conversations between a teacher accused of abusing female pupils…

“The growing use of WhatsApp as evidence in trials is astonishing,” says Carlos Aldama, a computer programmer and expert witness at trials. A year ago, he says he was assessing around one WhatsApp message a month, a figure that has now risen to six a month, related to cases of all types: divorce, adultery, custody, business dealings, child abuse…

“Around one in 20 messages are falsified,” he explains. He says he has come across everything from clumsy screen captures of conversations, attempts to change the GPS from where a message was sent, or even trying to destroy a smartphone’s memory by infecting it with a virus. “All of these kinds of practices can be recorded before a notary public, who attests to what he or she sees, but without knowing whether the evidence has been falsified,” says Aldama, adding that on the Deep Web, a kind of parallel internet where it is possible to purchase drugs, access child pornography, or even buy weapons, hackers who can falsify WhatsApp messages can be hired for $50.

We earn our living by looking for weaknesses that might be used by criminals”

Among the options for digital wrongdoing, faking a sender identity is clearly the most sophisticated. “To detect this, an IT expert would have to have access to both phones, and to the data transfer report or the router that was used,” says Aldama. “In court, an expert witness like myself would not allow any messages to be used as incontrovertible proof, but even so, what the two Spaniards have detected is a serious security flaw.” Aldama says that if the justice system in Spain, or anywhere else for that matter, wants to offer reasonable guarantees for defendants, it will have to hire a lot more computer experts.

“The courts are not ready for this: the judges are not properly trained in computer technology,” says Federico Bueno de Mata, a lecturer in Procedural Law at the University of Salamanca, and author of a prizewinning doctoral thesis on electronic evidence. He says that the legislation covering evidence, from 2000 and 2009, has not kept up with the pace of technological change: “As a result, our justice system is in danger of being out of date in terms of evidence. A judge’s assessment of electronic evidence is totally dependent on what the expert witness says.” He says this means that trainee judges will now have to be examined on their IT knowledge, while those already practicing will need to attend courses on computer technology.

Lawyers, expert witnesses and cybersecurity specialists all agree that messaging services need to accept their responsibilities in all this. “Some companies see security as an investment rather than a cost, something that delays development time in a fast-moving market,” says Sánchez.

“The majority of times companies respond to security leaks identified by hackers grudgingly, only addressing issues when they are brought up. But once the news is out there that this or that security aspect of a service has been breached, it is only a matter of time before more people learn how to do it: messaging companies need to be much more proactive in taking measures to improve security,” says Aldama.