This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun. The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven't figured out how to test it.https://twitter.com/VICE/status/1220024147260203009 …
-
-
This is the behavior you would expect from WhatsApp. WA is targeted for slow/lossy networks, so the main control channel between the app and WA's servers is extremely optimized (Noise instead of TLS, 25519 instead of RSA). This is all documented here: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf …
Prikaži ovu nit -
When sending an attachment, instead of squeezing a big blob into an E2E format and noise pipe optimized for text messages, the sending client creates a symmetric key and encrypts the attachment. This is uploaded via a separate web service and hosted on a CDN.pic.twitter.com/rEl8vEqp8E
Prikaži ovu nit -
The per-attachment symmetric key is then sent as a special message within the E2EE Signal double-ratchet inside of the Noise pipe, along with an URL pointing to the blob. The WA client pulls the blob from the CDN. That is this URL pointing to mmg-fna.whatsapp[.]net.pic.twitter.com/R9peattWx8
Prikaži ovu nit -
This is the normal behavior of WhatsApp. It allows the app to keep working while the client tries to download the huge 8min 4k video your Mom sent of your nephew playing with a dog to the entire family group (um, to pick a totally random example). Nothing mysterious.
Prikaži ovu nit -
So how did FTI see enough of the video to characterize it and perform a "cursory analysis" but not an in-depth analysis? If they have the locally cached messages, then they should also have the ephemeral encryption key to decrypt the entire video.
Prikaži ovu nit -
If the video is the initial point of exploitation, then there MUST be some evidence of that in the video file itself. It's true that this will just be a first stage exploit that pulls down the rest of the malware, but the actual exploit and a bit of ARM shell must be there.
Prikaži ovu nit -
If FTI doesn't have the capability to do this analysis themselves, then they should ask for WhatsApp's help in decrypting the file and then should allow FB and Apple to investigate (there is at least one WA and one iOS vuln involved here).
Prikaži ovu nit -
Anyway, the idea that this report is the furthest you can go with access to the phone is wrong. The circumstantial evidence is reasonably compelling, but since this is a major national security issue now more eyes need to be on the evidence. FIN
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Why don't phone manufacturers like
@Apple and telcos monitor this kind of huge spike egress of data for signs of a hack and inform the user of unusual background activity on the phone. Feels like a much-needed feature?pic.twitter.com/tC5yWzo83D
-
To the phone provider, this looks like "user turned on iCloud backup". Allowing for security products to monitor iOS activity is something a number of enterprises have asked Apple for.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.