In February, we published an article βNot a VPN alone. A cheat sheet on how to protect yourself and your data. prompted us to write a continuation of the article. This part is a completely independent source of information, but we still recommend that you read both posts.
The new post is devoted to the issue of data security (correspondence, photos, videos, that's all) in instant messengers and the devices themselves that are used to work with applications.
Messengers
Telegram
Back in October 2018, Wake Technical College first-year student Nathaniel Sachi discovered that the Telegram messenger saves messages and media files on the local computer drive in clear text.
The student was able to access his own correspondence, including text and pictures. To do this, he studied the application databases stored on the HDD. It turned out that the data is hard to read, but not encrypted. And access to them can be obtained even if the user has set a password for the application.
In the received data, the names and phone numbers of the interlocutors were found, which, if desired, can be compared. Information from private chats is also stored in clear text.
Later, Durov said that this was not a problem, because if an attacker has access to a user's PC, he will be able to obtain encryption keys and decode all correspondence without any problems. But many information security experts argue that this is still serious.
In addition, Telegram was vulnerable to a key theft attack, which Habr user. You can crack the local code password of any length and complexity.
As far as we know, this messenger also stores data on the computer disk in unencrypted form. Accordingly, if an attacker has access to the user's device, then all data is also open.
But there is a more global problem. Now all backups from WhatsApp installed on devices with Android OS are stored in Google Drive, which Google and Facebook agreed on last year. But backups of correspondence, media files and the like . As far as one can judge, the employees of law enforcement agencies of the same United States , so there is a possibility that the security forces can view any saved data.
It is possible to encrypt data, but both companies do not. Perhaps simply because backups without encryption can be transferred and used by users themselves without any problems. Most likely, there is no encryption, not because it is technically difficult to implement: on the contrary, you can protect backups without any difficulty. The problem is that Google has its own reasons for working with WhatsApp - the company is supposedly and uses them to display personalized ads. If Facebook suddenly introduced encryption for WhatsApp backups, Google would instantly lose interest in such a partnership, losing a valuable source of data on WhatsApp user preferences. This, of course, is only an assumption, but very likely in the world of hi-tech marketing.
As for WhatsApp for iOS, backups are saved to the iCloud cloud. But here, too, the information is stored in unencrypted form, as mentioned even in the application settings. Whether Apple analyzes this data or not, only the corporation itself knows. True, the Cupertinos do not have an advertising network, like Google, so we can assume that the likelihood of them analyzing the personal data of WhatsApp users is much lower.
All of the above can be formulated as follows - yes, not only you have access to your WhatsApp correspondence.
TikTok and other messengers
This short video sharing service could become popular very quickly. The developers promised to ensure the complete security of their users' data. As it turned out, the service itself used this data without notifying users. Worse, the service collected personal data from children under 13 without parental consent. Personal information of minors - names, e-mail, phone numbers, photos and videos were made public.
Service for several million dollars, regulators also demanded that all videos taken by children under 13 be removed. TikTok complied. However, other messengers and services use personal data of users for their own purposes, so you cannot be sure of their safety.
This list is endless - most instant messengers have one or another vulnerability that allows attackers to eavesdrop on users ( - Viber, although everything seemed to be corrected there) or steal their data. In addition, almost all applications from the top 5 store user data in an unprotected form on the computer's hard drive or in the phone's memory. And this is if you do not remember the special services of various countries, which may have access to user data due to legislation. The same Skype, VKontakte, TamTam and others provide any information about any user at the request of the authorities (for example, the Russian Federation).
Good security at the protocol level? Not a problem, we break the device
A few years ago between Apple and the US government. The corporation refused to unlock the encrypted smartphone that appeared in the case of the terrorist attacks in the city of San Bernardino. At the time, this seemed like a real problem: the data was well protected, and hacking a smartphone was either impossible or very difficult.
Now things are different. For example, the Israeli company Cellebrite sells to legal entities in Russia and other countries a software and hardware system that allows you to hack all iPhone and Android models. Last year was with relatively detailed information on the subject.
Magadan forensic investigator Popov hacks into a smartphone using the same technology used by the US Federal Bureau of Investigation. Source: BBC
The device is inexpensive by state standards. For UFED Touch2, the Volgograd department of the TFR paid 800 thousand rubles, Khabarovsk - 1,2 million rubles. In 2017, Alexander Bastrykin, head of the Investigative Committee of the Russian Federation, confirmed that his department Israeli company.
Sberbank also buys such devices - however, not for investigations, but to fight viruses on devices with the Android OS. βIf it is suspected that mobile devices are infected with unknown malicious code and after obtaining the mandatory consent of the owners of infected phones, analysis will be carried out to search for constantly emerging and mutating new viruses using various tools, including using UFED Touch2,β β in company.
Americans also have the technology to hack any smartphone. Grayshift promises to hack 300 smartphones for $15 (that's $50 per unit versus $1500 for Cellbrite).
It is likely that cybercriminals also have similar devices. These devices are constantly being improved - decreasing in size, increasing performance.
Now we are talking about more or less well-known phones from large manufacturers who are worried about protecting the data of their users. If we are talking about smaller companies or no-name organizations, then in this case the data is removed without problems. The HS-USB mode works even when the bootloader is locked. Service modes are usually a "back door" through which data can be retrieved. If not, then you can connect to the JTAG port or even remove the eMMC chip by inserting it into an inexpensive adapter. If the data is not encrypted, from the phone everything in general, including authentication tokens that provide access to cloud storage and other services.
If someone has personal access to a smartphone with important information, then if you wish, you can hack it, no matter what the manufacturers say.
It is clear that all of the above applies not only to smartphones, but also to computers with laptops on various operating systems. If you do not resort to advanced security measures, but are content with the usual methods like a password and login, then the data will remain at risk. An experienced hacker with physical access to the device will be able to get almost any information - it's only a matter of time.
So what to do?
On HabrΓ©, the issue of data security on personal devices has been raised more than once, so we will not reinvent the wheel again. We will only indicate the main methods that reduce the likelihood of third parties getting your data:
- It is mandatory to use data encryption on both your smartphone and PC. Different operating systems often provide good facilities by default. Example β cryptocontainer in Mac OS by regular means.
- Set passwords everywhere and everywhere, including the history of correspondence in Telegram and other instant messengers. Naturally, passwords should be complex.
- Two-factor authentication - yes, it can be inconvenient, but if the issue of security is in the first place, you have to put up with it.
- Control the physical security of your devices. Take a corporate PC to a cafe and forget it there? Classic. Safety standards, including corporate ones, are written in the tears of the victims of their own negligence.
Let's analyze in the comments your methods that reduce the likelihood of data breaches when a third party gains access to a physical device. We will then add the proposed methods to the article or publish it in our , where we regularly write about security, life hacks on using and Internet censorship.
Source: habr.com