What’s Up, with WhatsApp

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

Something a Little Different

(First Published on Medium September 2020)

Now, I thought I would write about something not totally OSINT related but maybe of use in some instances. As you know I like a bit of privacy too, so I thought I would do a little article on how we can achieve a little more privacy. We appear to spend vast sums on the latest super-duper mobile devices but then either don’t consider or don’t want to spend extra on safeguarding our privacy. Yes, it can cost, but I want to demonstrate how you can still buy a good quality mobile phone and afford to spend a little on your privacy too. Don’t forget simply locking your mobile phone’s privacy settings down doesn’t cost penny.

A caveat here, this is just one way you can approach this subject and not everything contained within may be suitable or desirable for everyone. This is a non technical guide using everyday apps and services (I don’t do technical really well). Take what you want, leave what don’t want.

Modern Apple & Android phones for example now offer imbedded eSIMs so it is now possible to have 2 mobile numbers for a device. This we see with some other types of phones that can accept two physical SIMS one which tended to be a throwaway. A user can now have an eSIM as their main service provider number but then use a pay as you go physical SIM as a throwaway, that they can share with friends and family. Once its been truly compromised it can be easily changed.

It is also possible for anyone to have control of a second number for verification to apps etc, such as WhatsApp or even use for verification for none essential services, such as junk email accounts. By buying a second phone for as little as £10 and putting a TopUp of £10 on it you have a second number used only for authenticating apps and thus avoiding the need to share your real mobile number. The reason for topping the phone up, is not because a user requires call data, it is simply so the network does not reclaim the number. Tesco currently sell an Alcetal mobile for £4.99 if you also top up with £10. Buy for cash and no personal details required.

There are many privacy & operational security benefits to the above examples. The actual second phone and SIM could be stored at your home address and never leave. It also stops others storing your real mobile on their own device when using messenger Apps thus obfuscating your real mobile number. We know that the apps that others have on their devices suck up their contact list. So that fresh new phone number you have, is pretty much busted as soon as you start sharing it with friends and family.

Once you have obtained your second number it can then be used to verify messenger apps such as WhatsApp or Signal. Both these Apps are end to end encrypted. Apps such as Facebook Messenger and Telegram are not true E2E as there has to be some interaction on the part of the user to start a, “Secret Chat,” for instance. It is believed that Telegram have the encryption key which would enable them to unencrypt any messages.

Other E2E messenger Apps that are not as well known are Threema & Session. These apps do not require a mobile number to verify and are considered more secure and private than the previous ones mentioned. They rely on the user generating a secret key or Id, this is then shared via a QR code when two people or a group meet and verify each other as being genuine contacts. A mobile number will always be a weakness.

Some of these messenger apps have the capability to auto delete messages after a certain time or when the conversation reaches a certain length. Usability differs between iPhones and Android phones. Messenger apps are also capable of VOIP calling, in the main only to other users of the app.

VOIP (Voice Over IP) also known as VoLTE (Voice over 4G) is another way of making phone calls from a mobile. It does not rely on the traditional mobile carrier method that provides cellular connectivity, instead it uses a wireless network or 4G. There are many third party Apps available on both iPhone and Android that would allow you to use VOIP and they are sometimes marketed as temporary or disposable numbers.

Onoff is a French company that offers British VOIP numbers as does Hushed which is an American company. With Onoff you can buy a number with limitless call allowance for £50 a year. On both platforms you can have numerous disposable mobile numbers. If you’re a journalist or business person for example that travels abroad these apps maybe very useful.

Buy a temporary number share it whilst you are away and keep your personal number private. I read an article by a journalist who went to a country in Africa ordered a taxi and when it arrived the taxi driver knew her name as he had used, “Truecaller.” She had shared her personal mobile number that much it had been sucked up by Truecaller. We simply do not know how our mobile number is being shared and compromised.

Another popular privacy focused VOIP provider is MySudo which offers up to 9 alias phone numbers and email addresses for £450 pounds a year however other pricing plans are available. All these Apps can be purchased through the App Store or Google Play using their own gift cards which can be purchased with cash from any Supermarket.

Another benefit of using an app like MySudo is that the user can store all their contacts in the app and not in the phones default contacts and stop any calls from appearing in the devices own call records.

https://hushed.com/

https://www.onoff.app/home/

https://mysudo.com/

Onoff & Hushed do offer a certain degree of privacy / anonymity however you have to open an account to purchase a number(s) and they also capture other data from the user, MySudo however is a zero logging company, you do not need to create an account to use their services. At the time of this write up MySudo is only available on Apple in the UK however it is planned to be launched on Android.

In the privacy policy of Onoff they state for instances that they log call data, usage and also SMS & MMS content, along with geolocation data, device identifiers and standard identifier of detected Wi-Fi networks. Hushed have a similar privacy policy but also retain voicemail messages. MySudo does not capture any of this information but there are still small tweaks that you can make such as switching off the submission or crash and anonymised analytically data reports.

It is important to understand that the providers of VOIP numbers are in fact buying the numbers from Twillio an American company that provides VOIP services, they then resell to commercial customers. In general terms VOIP numbers cannot be used for verifying accounts but there are exceptions to thar rule. I tried recently to use a VOIP number for Signal by ignoring the SMS verification option and opting for the phone call verification instead but that failed too.

It is possible then for you to obtain more zero knowledge non traceable communication on an everyday modern mobile phone. I say, more, because I truly do not know exactly how or what companies such as, Apple, Google, Facebook etc are able to capture and how they link it all together but if anyone knows I would love to know too! (I have previously written about UUIDs and collection of personal data.)

On top of any measure you take you still need to consider the basics of locking down the privacy settings of the phone, this will also limit any information Apple or Google obtain for instance, pertaining to location data for example. You could lock your privacy settings down, turn off your location data but then use Apple Pay or Google Pay and still give away location information when you are purchasing goods or services.

So to try and make sense of it all, lets try and put this into practice.

An iPhone SE costs £420 pounds and can be purchased for cash. It uses the same chipset as the more expensive iPhone 11 but at a fraction of the price. To set your iPhone up, you can acquire 40GB of data on a Tesco pay as you go SIM costing £20 a month and this can be purchased again for cash. If the user does not use their own Wi-fi and uses 4G away from their home address then the crucial IP on creation that are valued will be near worthless. You may also choose to use free Wi-Fi for instance at Tesco or Asda as neither ask for authentication details, such as, mobile number, email, or other PII (personal identifiable information).

You do not have to provide genuine PII for setting up the iPhone either to enable you to use gift cards to pay for services thought the App Store.

Apple SE 2020 edition.

To purchase 3 VOIP numbers and 3 emails addresses and associated minutes and texts from MySudo will cost £100 for 12 months and can be paid for using Apple gift cards, again paid for using cash. On top of that the use of a zero knowledge no logs VPN (Virtual Private Network) from ProtonVPN will further hide a users IP and will cost another £100 again paid for using Apple gift cards.

Then you have the cost of a second phone and top up for £15 pounds, the overall cost is £655 and you will now begin to see that the cost of a more private, secure phone is not that expensive.

Using Apple and MySudo would enable a user to sandbox their communications not just from the actual physical phone but also between the different apps and elements of their life to ensure there is no contamination different parts of your life. By using secure messaging platforms such as, Signal, Session or Threema, along with MySudo a contact may never potentially see that the original Tesco mobile number that is used to provide 4G.

It is true that more effort is required on behalf of the user to ensure that they follow strict operational security and privacy practices. Even with a VPN I never use my home Wi-Fi, 4G allows you to blend with numerous other users, sharing the same IP in case your VPN ever fails. If your not up to any naughtiness no one should be interested in trying find you in the crowd.

When looking closer at the iPhone SE for instances we should look to see if the following have been disabled in the settings menu. Android phones have similar settings but I have to say Apple is easier to lockdown. Android appears to have settings within settings and drives me nuts at times.

I have disabled Facetime as it is searchable via mobile number or email so anyone with an Apple device can see if their contact is on Facetime and contact them. Frustratingly I haven’t found a way to completely disable the search functionality, even if you delete the app. You can only stop people contacting you. (If anyone knows how to disable it completely please reach out). If I had an Android phone I could delete Google Duo, end of!

• Wi-Fi

• Bluetooth

• Personal Hotspot

• Siri

• Facetime

• Location Services

• Health

• Motion & Fitness

• Analytics & Improvements

• iCloud• iCloud Drive

• Find My Phone

Also annoying, you can only update the OS over Wi-Fi. It’s easily achievable on your travels using free non PII Wi-Fi on your travels.

All the above can easily be achieved using an Android phone. In fact Android is a more flexible OS and as such it is also possible to hide the existence of the apps on your home screen from prying eyes (but not completely) There are many apps that will help you hide apps, such as Nova Launcher. Probably the easiest way is to delete the app from the home screen(s) and from the app tray. Which ever way you hide your apps they are still easy to find. They have to exist in the Google Play Store of installed apps so you can find then there. I tend to watch how people look after their mobile devices in public. It is not hard to see what apps are on person’s mobile.

Apple’s iPhone isn’t as easy to disguise apps, you can do this natively with some of Apple’s preloaded apps by using the Screen Time options in the Settings menu and there are also apps you can download but I don’t like the idea of introducing another / unnecessary app and so I haven’t tried this.

Samsung offers a very intriguing app called, Secure Folder, the easiest way to explain what Secure Folder is, is to say it is like having a phone within a phone. You can either copy your existing apps into Secure Folder where they will be sandboxed from the original apps with the own files & cache or you can download new ones from the Google Play store and create new accounts.

By using Secure Folder unlike the Android example above you would not be able to see the Secure Folder apps in the main phones Google Play Store as it has it’s own. To access Secure Folder you would need a PIN or Fingerprint authentication. The app icon can be hidden from the home screen altogether using Quick Panel. This is something I intend to explore using a dual eSIM device.

Hopefully the above helps people improve your privacy, if you only alter the settings of the device you are using, it is still a win.

My Journey Into The World of OSINT

(First Published on Medium February 2020)

My journey into the world of OSINT is now just over one year old. OSINT is not the main area of my work, I don’t get to learn or practice anywhere near as much as I would like but it is certainly the work I enjoy the most.

Following on from my previous Blogs in relation to leveraging messaging apps for OSINT I thought I would share how I conducted the research.

I’m still working on the project which I hope will help me increase my research potential in relation to mobile (cell) phone numbers and email addresses. Most of what I will write about can be done using free resources. It isn’t overly technically and it’s something I thought I would share for those like me who are still learning. There are many tutorials also available to assist with how to leverage the apps I am going to talk about.

The problem was how can I research mobile numbers and email addresses without relying upon the use of sites that require payment. Everything that happened in the summer of 2019 appears to have focused people’s attentions on creating their own OSINT tools. So what could I do with the platforms that people use everyday?

My first consideration as always is operational security. I won’t write about that as this would then become a lengthy article. Needless to say @dutch_osintguy has this covered for us with some great articles.

Next up is a sock puppet, @technisette and @jakecreps have some very good articles. My sock would only be used on this setup.

One part of my operational security was the use of a Virtual Machine to host what was going to be my OSINT set-up. There are free flavours from both VMware & Virtual Box. My VM was going to be completely separate from any other OSINT VMs I have created and I was going to use a clean install of Windows 10. Next up was precuring myself an old Android phone. Family and friends are always upgrading phones so it wasn’t to hard getting my hands on one for free.

The phone was then factory reset and would only be used alongside my new VM. Setting the Android up is solely for the purposes of leveraging social media apps and messenger apps. You can use Wi-Fi (with VPN) to download the apps but you will need a SIM for verification purposes. In the UK a SIM will set you back £1 pound but you can pick them up for as little as a penny.

Needless to say this is an on-going project which can be expanded upon however the apps I started off with were, the usual suspects you may say but I did expanded it to include less well known apps.

Next up was replicating this on my VM, so downloading the desktop applications.

Desktop Clients

You will see on the left hand side the desktop applications available for the messengering apps from my previous blog. In the Bookmarks you will see which website applications are in use.

This way I can link these apps to my Android phone and enjoy the desktop experience. Then you can use the websites for the other social media sites. I also find that this is an easier setup for functionality, flexibility, recording and evidencing what I do.

You may have wondered why Android, (People don’t seem to mind giving you old ones, which is a starter), you can use an I-Phone which I have done too however the next part of the set up is not Apple friendly, the use of Vysor. Vysor is a clever little application that enables you to control your smartphone from your computer as if it were just another window via a Chrome extension or desktop app. There is a free version of Vysor too, bonus! The paid version is better though, which you would expect. You could in fact not use Vysor at all and rely on the desktop environment you have created or you could just use Vysor full stop.

If you don’t like the idea of Android then cool go with an Apple I-Phone without using Vysor. You can still mirror I-Phones on to your desktop you just can’t control them using your mouse and keyboard like you can with Vysor. The above set up takes a little longer to setup than an emulator but I find it is easier and seamless to work with.The benefits are numerous including the ability to seamlessly copy a profile picture and reverse image search it.

Now before I go any further I think it is important that we understand the risks of using any app to do our research. Truecaller for example will suck up your contacts as that is what their business is. So you have to be very careful and decide on a case by case basis whether you want your subject’s mobile number / email being harvested by all these companies. Privacy polices are boring but an essential read.

Disclaimer everything we do, the results are dependent upon our subject’s own Opsec and Privacy settings.

On WhatsApp our luck is in and our subject has not bothered about their privacy. We have a nice profile picture that we can do reverses image search on and see where else on the web they appear. The bonus of having the desktop application is you can access the full profile picture and save it straight to your VM. Last seen is another nice touch, if you are keeping tabs on them you can watch when they are using WhatsApp there are also apps that will monitor the account for you. Even if, Last Seen, is disabled you can still see when your subject is on-line. This could help you work out their patterns and determine where in the world they may be and the times they operate on-line.You may get really lucky if someone has updated their status and maybe provided an alternative means of contact because they are off-line. Don’t forget to check their About Me either.

I have also used an Android emulator inspired by @aware-online and their excellent tutorial on how to geolocate groups on Telegram.

Needless to say this is not for nefarious purposes and it should also be used to understand the information you are giving away, from a privacy & OPSEC perspective.