U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun. The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it.https://twitter.com/VICE/status/1220024147260203009 …
The initial reporting about an "encrypted downloader" for the WhatsApp video were rather confusing. Now that we can see the report, it looks like this is just a normal attachment as delivered by WhatsApp. Here are the relevant parts of the report.pic.twitter.com/MzmVaLBTND
This is the behavior you would expect from WhatsApp. WA is targeted for slow/lossy networks, so the main control channel between the app and WA's servers is extremely optimized (Noise instead of TLS, 25519 instead of RSA). This is all documented here: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf …
When sending an attachment, instead of squeezing a big blob into an E2E format and noise pipe optimized for text messages, the sending client creates a symmetric key and encrypts the attachment. This is uploaded via a separate web service and hosted on a CDN.pic.twitter.com/rEl8vEqp8E
The per-attachment symmetric key is then sent as a special message within the E2EE Signal double-ratchet inside of the Noise pipe, along with an URL pointing to the blob. The WA client pulls the blob from the CDN. That is this URL pointing to mmg-fna.whatsapp[.]net.pic.twitter.com/R9peattWx8
This is the normal behavior of WhatsApp. It allows the app to keep working while the client tries to download the huge 8min 4k video your Mom sent of your nephew playing with a dog to the entire family group (um, to pick a totally random example). Nothing mysterious.
So how did FTI see enough of the video to characterize it and perform a "cursory analysis" but not an in-depth analysis? If they have the locally cached messages, then they should also have the ephemeral encryption key to decrypt the entire video.
If the video is the initial point of exploitation, then there MUST be some evidence of that in the video file itself. It's true that this will just be a first stage exploit that pulls down the rest of the malware, but the actual exploit and a bit of ARM shell must be there.
If FTI doesn't have the capability to do this analysis themselves, then they should ask for WhatsApp's help in decrypting the file and then should allow FB and Apple to investigate (there is at least one WA and one iOS vuln involved here).
Anyway, the idea that this report is the furthest you can go with access to the phone is wrong. The circumstantial evidence is reasonably compelling, but since this is a major national security issue now more eyes need to be on the evidence. FIN
cc @iyad_elbaghdadi , can you get this to the appropriate people?
*waves* hi
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
