When encryption does not help: talk about physical access to the device

    In February, we published an article “Not a single VPN. A cheat sheet on how to protect yourself and your data. ” One of the comments prompted us to write a continuation of the article. This part is a completely autonomous source of information, but still we recommend that you familiarize yourself with both posts.


    A new post is devoted to the issue of data security (correspondence, photos, videos, that's all) in instant messengers and the devices themselves, which are used to work with applications.

    Instant messengers


    Back in October 2018, first-year student at Wake Teknical College, Nathaniel Sachi, was able to find that the Telegram messenger stores messages and media files on the local disk of the computer in the clear.

    The student was able to access his own correspondence, including text and pictures. To do this, he studied the application databases stored on the HDD. It turned out that the data is hard to read, but not encrypted. And access to them can be obtained even if the user has set a password for the application.

    In the obtained data, the names and phone numbers of the interlocutors were found, which, if desired, can be compared. Information from private chats is also stored in open form.

    Later, Durov said that this is not a problem, because if an attacker has access to a user PC, he will be able to obtain encryption keys and decode all correspondence without any problems. But many information security experts claim that this is serious.

    In addition, Telegram turned out to be vulnerable to a key theft attack, which was discovered by a Habr user. You can crack the local code password of any length and complexity.


    As far as we know, this messenger also stores data on the computer’s disk in unencrypted form. Accordingly, if an attacker has access to a user's device, then all data is also open.

    But there is a more global problem. Now all the backups from WhatsApp installed on Android OS devices are stored in Google Drive, which Google and Facebook agreed last year. But the backups of correspondence, media files and the like are stored in unencrypted form . As far as I can tell, law enforcement officers of the same USA have access to Google Drive, therefore, there is a possibility that security forces can view any stored data.

    You can encrypt data, but both companies do not. Perhaps simply because backups without encryption can be easily transferred and used by users themselves. Most likely, there is no encryption not because it is difficult to implement technically: on the contrary, you can protect backups without any difficulty. The problem is that Google has its own reasons to work with WhatsApp - the company supposedly analyzes the data stored on Google Drive serversand uses them to display personalized ads. If Facebook suddenly introduced encryption for WhatsApp backups, Google would instantly lose interest in such a partnership, having lost a valuable source of data about WhatsApp user preferences. This, of course, is only an assumption, but very likely in the world of hi-tech marketing.

    As for WhatsApp for iOS, backups are saved to the iCloud cloud. But here, the information is stored in unencrypted form, which is even stated in the application settings. Whether Apple analyzes this data or not, is known only to the corporation itself. True, the Cupertinians do not have an ad network like Google, so we can assume that the likelihood that they will analyze the personal data of WhatsApp users is much lower.

    All of the above can be formulated as follows - yes, not only you have access to your WhatsApp correspondence.

    TikTok and other messengers

    This short video sharing service could very quickly become popular. The developers promised to ensure complete data security for their users. As it turned out, the service itself used this data without notifying users. Even worse: the service collected personal data from children under 13 years old without parental consent. Personal information of minors - names, e-mail, phone numbers, photos and videos were publicly available.

    Service has been finedfor several million dollars, regulators also demanded to remove all videos shot by children under 13 years old. TikTok obeyed. Nevertheless, other messengers and services use their personal data for their purposes, so you can not be sure of their safety.

    This list can be continued indefinitely - most messengers have one or another vulnerability that allows attackers to listen to users (a great example- Viber, although everything seems to be fixed there) or to steal their data. In addition, almost all of the top 5 applications store user data in an unprotected form on the computer’s hard drive or in the phone’s memory. And this is if you do not recall the special services of various countries, which may have access to user data thanks to the law. The same Skype, VKontakte, TamTam and others provide any information about any user at the request of the authorities (for example, the Russian Federation).

    Good protocol level protection? Not a problem, break the device

    A few years ago, a conflict broke out between Apple and the US government. The corporation refused to unlock the encrypted smartphone that was featured in the case of terrorist attacks in the city of San Bernardino. Then it seemed like a real problem: the data was well protected, and hacking a smartphone was either impossible or very difficult.

    Now the situation is different. For example, the Israeli company Cellebrite is selling software and hardware to legal entities in Russia and other countries, which allows you to hack all iPhone and Android models. An advertising booklet was published last year with relatively detailed information on this topic.

    Magadan forensic investigator Popov breaks into a smartphone using the same technology as the US Federal Bureau of Investigation. Source: BBC The

    device is inexpensive by state standards. For UFED Touch2, the Volgograd administration of SKR paid 800 thousand rubles, Khabarovsk - 1.2 million rubles. In 2017, Alexander Bastrykin, head of the Investigative Committee of the Russian Federation, confirmed that his department is using the decisions of an Israeli company.

    Sberbank also buys such devices, though not to conduct investigations, but to fight viruses on Android devices. “If a mobile device is suspected of being infected with an unknown malicious code and after obtaining the obligatory consent of the owners of infected phones, an analysis will be carried out to search for constantly emerging and mutating new viruses using various tools, including using UFED Touch2,” the company said .

    Americans also have technologies that allow hacking any smartphones. Grayshift promises to crack 300 smartphones for 15 thousand US dollars (this is $ 50 per unit versus $ 1,500 for Cellbrite).

    It is likely that cybercriminals have similar devices. These devices are constantly being improved - size is decreasing, productivity is increasing.

    Now we are talking about the more or less well-known phones of major manufacturers who are worried about protecting the data of their users. If we are talking about smaller companies or noun-name organizations, then in this case the data is removed without problems. HS-USB mode works even when the bootloader is locked. Service modes, as a rule - a “back door” through which you can extract data. If not, you can connect to the JTAG port or even remove the eMMC chip, then insert it into an inexpensive adapter. If the data is not encrypted, you can pull it out of the phoneIn general, everything, including authentication tokens, which provide access to cloud storage and other services.

    If someone has personal access to a smartphone with important information, then you can hack it if you want, no matter what the manufacturers say.

    It is clear that all of the above applies not only to smartphones, but also computers with laptops on various operating systems. If you do not resort to advanced protective measures, but are content with conventional methods such as password and login, then the data will remain in danger. An experienced cracker with physical access to the device will be able to get almost any information - this is just a matter of time.

    So what to do?

    On Habr, the issue of data security on personal devices has been touched more than once, therefore we will not reinvent the wheel. We’ll only indicate the main methods that reduce the likelihood of third parties getting your data:

    • It is imperative to use data encryption both on a smartphone and on a PC. Different operating systems often provide good default tools. An example is the creation of a cryptocontainer in Mac OS using regular tools.

    • Set passwords everywhere and everywhere, including the history of correspondence in Telegram and other instant messengers. Naturally, passwords must be complex.

    • Two-factor authentication - yes, it can be inconvenient, but if the security issue comes first, you have to come to terms.

    • Monitor the physical security of your devices. Take a corporate PC in a cafe and forget it there? Classic. Safety standards, including corporate, are written by the tears of victims of their own negligence.

    Let's analyze your methods in the comments, which can reduce the likelihood of data hacking when a third party gets access to a physical device. We will then add the proposed methods to the article or publish in our telegram channel , where we regularly write about security, life hacks on using our VPN and Internet censorship.

    Also popular now: