And here we have yet another reason to stay the heck off the open WiFi at airports and other hotspots.

Being curious I decided to see what gets broadcast over the air when I send WhatsApp messages to my friends. I connected my phone to my WiFi and messaged a friend. What I found was very interesting…

First thing I noticed, because I was looking for it, is that my outgoing message was not encrypted. Also, the cellphone number of the device that I was sending the message TO was also included in plain text.

When my friend replied, her Cellphone number, first name and the message was included in plain text as well.

I am guessing that the name displayed is her username or the first name used in the WhatsApp contact list on the devices.

Still it is worrying.

With some stuff XXXed out to make sure I protect the parties involved privacy, here are some snippets from the TCPDump that I ran.

From the firewall:

GF.B<.e...]....XXXXXXXXXXX.......o.B.l..]....XXXXXXXXXXX...C..1314121604-4......O.........7Ok cool. Wow whatsapp broadcast messages in plain text!
21:13:58.127677 IP 173.192.219.130-static.reverse.softlayer.com.xmpp-client > 192.168.11.100.39340: Flags [P.], seq 1009:1076, ack 1199, win 514, options [nop,nop,TS val 1111274701 ecr 4671144], length 67

I then snarfed the traffic from my laptop over an unsecured access point, and was able to read messages between my phone and my friend.

From My Laptop

(The message below was in Afrikaans, my friend said “I am not going to use whatapp(sic) anymore”)

1314127324....e..a..XXXX(Friends Name)..........Ek gaan nie meer whatapp nie
21:22:07.640997 IP (tos 0x0, ttl 42, id 19165, offset 0, flags [DF], proto TCP (6), length 52)
173.192.219.130-static.reverse.softlayer.com.xmpp-client > 192.168.11.100.39340: Flags [.], cksum 0xc7ec (correct), seq 275, ack 165, win 514, options [nop,nop,TS val 1111860623 ecr 4821733], length 0

You can see my phones IP address on my network is included as well. I did not see my cellphone number anywhere, or I missed it, but I am guessing it would be included if I were on 3G, like my friend was.

So, this is a short and ugly post that reminds you to stay off unsecured access points – and to think twice what messages you send over WhatsApp, and even with messaging clients in general – it can be read by an unintended third party.

Now unencrypted email are readable over the wire as well, unencrypted messages are just that: unencrypted, make sure you are savvy when using your devices folks!

No related posts.