An Israeli company is marketing what appears to be an astonishing surveillance capability, claiming it can siphon off all WhatsApp chats, including encrypted communications, from phones within close proximity of a hidden Wi-Fi hacking device in a backpack.
Brochures leaked to FORBES, and published below, revealed a non-public offering from Haifa-based Wintego called CatchApp. It promises an “unprecedented capability” to break through WhatsApp encryption and grab everything from a target’s account. It does so through a “man-in-the-middle” (MITM) attack; in theory the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography.
According to the anonymous source who handed FORBES the documents, the product works on the most current versions of WhatsApp, noting the brochures were handed out at a policing event this year. They could not offer any proof of that claim, however, and the files may date from before WhatsApp added significantly stronger end-to-end encryption.
WhatsApp, owned by Facebook FB +0.02%, started deploying end-to-end encryption with the much-respected Signal protocol in late 2014. But the full rollout wasn’t complete until April this year. The Wintego brochure is no older than April 2015, the date the literature cites for the number of WhatsApp users at 800,000. WhatsApp hit one billion users in February 2016, however, begging the question: why not use the more current figure?
Is it possible?
The CatchApp feature can be delivered from Wintego’s WINT product, a hacking device that fits snugly into a backpack, according to the documents. Other brochures handed to FORBES claimed the WINT “data extraction solution” can obtain “the entire contents of your targets’ email accounts, chat sessions, social network profiles, detailed contact lists, year-by-year calendars, files, photos, web browsing activity, and more.” It does that by acquiring login credentials for distinct accounts and then silently download “all the data stored therein”.
WINT’s Cyber Data Extractor can overcome “the encryption and security measures of many web accounts and apps” to grab those credentials, Wintego claimed. Where there are no credentials required – with chat apps like WhatsApp and, presumably, Facebook Messenger, Google GOOGL +0.13% Allo, Telegram, etc. – the Extractor can pilfer “secured data right from the apps.”
Wintego claims WINT first gains access to a device by intercepting Wi-Fi communications, whether they’re open or private encrypted networks. WINT uses four separate Wi-Fi access points so it can track multiple targets and high-gain antennas to catch those at a distance. It’s small enough to fit into any backpack, said Wintego, so is ideal for stealthy operations.
Security experts aren’t convinced Wintego’s kit is as powerful as advertised, though, and it shouldn’t be possible to crack open WhatsApp using the firm’s techniques. It may be, suggested Jonathan Zdziarski, that the CatchApp tech is exploiting Secure Sockets Layer (SSL) encryption. “I suspect they’re taking advantage of a number of vulnerabilities in SSL implementations… many systems are susceptible to downgrade attacks and other types of MITMs.” SSL is no longer in use in the Signal protocol, however, replaced recently by an alternative called Noise. But many other chat apps continue to use SSL.
Another possibility is that CatchApp is malware thrust onto a device over Wi-Fi that specifically targets WhatsApp. But it’s almost certain the product cannot crack the latest standard of WhatsApp cryptography, said Matthew Green, a cryptography expert and assistant professor at the Johns Hopkins Information Security Institute. Green, who has been impressed by the quality of the Signal code, added: “They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point.
“I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar.
“But the WhatsApp stuff manifestly should not be vulnerable like that. Interesting.”
Neither WhatsApp nor the crypto whizz behind Signal, Moxie Marlinspike, were happy to comment unless more specific details were revealed about the tool’s capability. Either Wintego is embellishing what its real capability is, or it has a set of exploits that the rest of the world doesn’t yet know about.
Wintego in Taiwan
Wintego was founded by alumni of Verint, another Israeli firm, but one that’s become a dominant force in the surveillance sphere, most notably as a provider for America’s National Security Agency (NSA).
Yuval Luria acts as the face of the company, promoting the kit at major surveillance shows. He recently presented at the ISS World Training event in Prague (also known as the Wiretappers’ Ball), giving a talk on A Hybrid Tactical-Strategic Approach for Extracting Cyber Intelligence. Nhevo Kaufman appears to act as company chief, having set up the firm’s website back in 2011.
Possibly in an attempt to keep their identities under wraps, neither publicly note their affiliation with Wintego on their respective LinkedInLNKD -0.74% profiles. Instead, Luria lists no company at all, whilst Kaufman is the founder and CEO of NK Business Ventures (NK-BV), a company that has no public website and for which there’s little-to-zero public information. FORBES believes NK-BV is the parent of Wintego or is a sales arm for the company and others in industrial surveillance complex.
In a brief conversation with FORBES, Kaufman could not confirm that, not could he say whether the CatchApp tool still worked against the most current version of WhatsApp. He declined to offer any specific information about the provider. “Any specific details about products is in contrary to the sensitivity of the products due to the customers that are using them,” Kaufman added.
“I’m not interested in giving any specific details. I would jeopardise the sensitive issues of our customers who are using products like this. Naturally they’re customers that are governmental customers… referring to specific details of the product is not something that would be appropriate to put in an article like this.”
The most revealing information about NK Business Ventures can be found in the Wikileaks-hosted files leaked from spyware provider Hacking Team. Luria, in discussions about forming a partnership between NK-BV and Hacking Team, noted: “The company represents several key customers and integrators in different countries, providing security and intelligence solutions from both the Israeli market and the international market.”
In the thread, dated October 2012, Luria reveals the company represents Taiwan, though doesn’t disclose the name of the body he worked with. By the end of that conversation, a deal with Hacking Team – a company criticised for selling invasive tools to country’s with weak human rights records – is all but confirmed. “In his words the opportunity seems very concrete and if we want to try to visit the client on Wednesday 31 October straight after Macao we need to send him asap the Dealer Agreement,” wrote Hacking Team’s Singapore representative Daniel Maglietta. There was, however, no further open email communication between the two parties.
Wintego is, then, another member of the highly-secretive surveillance industry and another of Israel’s elite professional spy industry. It has a number of equally-reticent competitors in the Wi-Fi intercept game, including two firms FORBES encountered at the Milipol event in Paris last November: Israel’s Rayzone and China’s Long Hope. Ability Inc., a provider of network exploitation capabilities that promises to spy on any device with just a telephone number for $20 million, ranked Wintego as one of its competitors too.
As with Hacking Team, human rights experts are worried about who is watching over exports of such powerful technology and if it’s being used responsibly. “Wintego continue to position themselves as a global threat to individuals privacy, creating technology like CatchApp to attack WhatsApp, a messaging app that is used by diplomats, journalists and the general public alike,” said Christopher Weatherhead, technologist at Privacy International.
“Although it appears unclear from the documents the efficacy of this technology, it is useful to understand possible weaknesses in the software and how it can betray us. Which could allow a slew of nefarious characters such as hackers and malware companies to gain access to people’s communications.”