THE DIFFUSION OF INSTANT MESSAGING TOOLS
In recent years, the spread of apps dedicated to rapid communication between
Users (Instant Messaging) have been exponential. A typical user also uses more than one of these tools
software according to needs (eg Whatsapp / Viber +
Messenger) to reach the widest number of contacts.
The obvious gratuity compared to (for example) previous systems such as SMS and
the ability to extend content with multimedia support, in addition to the creation of groups, has finally decreed the
natural and irreversible success of IM.
THE PHONE BOOK
A technical breakthrough in IM tools/apps was the automatic population of the contacts directory specific to the
software: if I downloaded an IM app and did not find my own
friends, what would this app serve me for? I have to look for one by one my contacts from
general directory and insert it into the single app to see if my
friend uses it: inconveniently awkward. For this reason (simplifying the mechanism underlying the process), IM apps do
refer to the user's general phonebook and automatically check if
numbers in it are also present on their networks (that is, they do
reference to users subscribed to their respective software): this way
Whatsapp rather than Viber and other IM systems will find - very comfortably
- all of our contacts and enter them in their specific address/phone book.
This process, which happens in a transparent way
to the user, allows you to do very complex operations in one fell swoop:
in fact when I know a new person I usually just put it in my general phone book;
at this point, as if by magic, when I open Whatsapp rather than Viber I'll find that contact between app contacts, ready to
receive my messages.
The first side-effect (unobserved and inevitable) of this mechanism of
accessing the phone book by each App is that it is enough to
enter any number in your phone book to check
if that number matches a user of our favorite IM app:
(among other things) we will find it in the contacts of that app, shortly afterwards
having it inserted.
The second side-effect (unnoticed) is that although the contact is present with
the name / alias with which we have stored it in our address/phone book, we can
visualize the avatar he chose to represent himself. Some systems
allow you not to share this information, but in fact no one uses this option, since it is a obvious thing that you want to see who "he" is, and - symmetrically -
"he" wants to see immediately with whom "he" is getting in touch. It's the fun part of the
social app: edit your avatar often and willingly and let it see as many people as possible.
INCLUDE RANDOM (OR ALMOST) CONTACTS IN PHONE BOOK
Let's now have a new phone and put
the phone number of a friend of ours in the phonebook. Then, as a test,
we try to enter another 200 phone numbers, memorizing them in the phonebook with
an arbitrary mark (since they are perfect strangers), calling them
in short: "unknown-CONTACT-001", "unknown-CONTACT-002" .. up to
get to "unknown-CONTACT-200". As for the telephone number, take that of our well-known friend and
pretending that the phone number is either
"Arithmetic number" rather than a "phone number" add up "1" to the previous one.
So, if we go for example from "3xx 47xx 345" (the
number of our known friend), we will insert "3xx 47xx 346" for
"unknown-CONTACT-001", "3xx 47xx 347" for "unknown-CONTACT-002", ..
up to: "3xx 47xx 545" for "unknown-CONTACT-200". At the end we will have in
the phone book 201 numbers, of which only the first "true and known": the others are the
200 arithmetically consecutive numbers belonging to as many hypotheticals
unknown persons. Let's open WhatsApp or Viber - at this point - and go to the section
"contacts". There is a half-surprise waiting for us: we will find a selection of
new numbers just inserted side by side with their Avatar. We will find all
those invented numbers of people who are enrolled in that specific IM service.
As it may seem paradoxical, it is very likely that, taking into account the
spreading percentage (for example) of WhatsApp (in Italy), we will see one
sequence of forty or more avatars in front of 200 random numbers inserted.
... AND SAVE THE AVATAR
IM Apps generally do not download avatar images whenever
they open the view of the contacts, but populate and / or update them as we scroll down the contacts list,
in order to reduce requests and traffic to their
servers. Whatsapp users will not miss that when they browse the
contacts directory, avatar of who is entering the screen (at the bottom of the screen)
sometimes flickering: what happens? the app is updating it. These
information / images, which are not downloaded each time, are stored
inside the "disk space" of the phone and
displayed on our list without waste traffic. But we are tempted to save these images elsewhere, for example on one of our
pc, or on a remote server. And that's been done by collecting different
millions of images of as many user accounts with numbers and prefixes
of Italian operators.
NOWISEEYOU IN ACTION (PART ONE)
The starting hypothesis of the exploitation was that - once we get into possession
of the "phone number + avatar" - it would have been possible -
using the avatar as a search key and analytic tools to extract more information from the image -
retrieve other personal data related to the number, ending up with the coveted and dangerous sequence: "number
+ avatar + name and surname "etc.
To test this hypothesis (the first part of the attack), it was necessary
collect data, that is, a considerable number of phone numbers with
related avatars (on which to test the search procedures) and move them from the phone
to an external archive, to perform subsequent processing. The issues
to deal with were therefore diversified. It was necessary to:
1. Provide for
entering the numbers in your phonebook in an automated manner
(eg 200 at a time), so as not to clog the phone memory;
2. Access app data: keeping in mind that
every app has, for security reasons, a reserved storage space, so your data is not
accessible externally (from other apps), including, for example, avatars;
3. Open the IM app, make it interact as if it was piloted by a human user, to populate the directory with avatars (which
as mentioned above, are not "downloaded" unless users are displayed
[whatsapp], or whose avatars are not saved unless you click
on the user detail sheet icon [Viber]);
4. Retrieve number and avatar
5. Empty the phonebook;
6. Repeat the interactive procedure from step 1 onwards.
The first step was to develop a client / server architecture of which
the components were:
1. a NOWISEEYOU client, a service that can be installed on android devices (a "service" acts in the background)
capable of recovering from the NOWISEEYOU
server the numbers to be entered from time to time in the address book, then send
back collected data on the same server and interactively interact with
the new numbers, emptying the phonebook from time to time as long as you need;
2. a NOWISEEYOU server, that is, an archive of numbers to look for and some scripts on a remote machine.
WORKING PARALLELY (goal: millions of accounts)
Assuming to act simultaneously on several devices in parallel, to
speed up data collection, NOWISEEYOU client app had to
be uniquely identifiable in order to carry out its work
in sync, without disturbing each other. NowiseeYou has been
installed and has "worked" simultaneously on a dozen mobile devices. On the server side the problem was
instead to pop the db with the numbers to test: in fact you can not know "a priori" if a phone number is true either if its owner has a
IM client installed. Problem that was resolved by inserting about 200M of
sequential numbers (or nearly sequential :) corresponding to prefixes of
Italian mobile operators. For the first test phase we started with one
first tranche (about 1M of numbers) made up of a known "333 xxx xxxx"
(the real number of a real friend); NowISeeYou then had to act blindly in search of
numbers and accounts: precisely for this reason it was necessary (see above)
provide a parallel screening system (several devices operating in
contemporary). Once you have set up the client (app) / server structure you have to install the IM client on the devices
(WhatsApp or Viber), taking care to create as many accounts.
ACCESS TO RESERVED AREAS OF OTHER APP (Objective: Access files / data
of avatars and anything else of WHATSAPP and VIBER)
The problem of the "private data area" inaccessible to other apps was easily overcome by installing NOWISEEYOU on android "Rooted" devices: in fact, on these devices an app may have "master" privileges (that is, "root"), which allow access to all folders and phone space, including those reserved for other apps.
VIRTUALIZATION OF DEVICES (goal: speed and effectiveness)
To speed up and standardize the setup and configuration process
of NOWISEEYOU on phones no physical devices were used
(real phones), but emulators (the choice is
falling on a great software: "Memu" but there are several similar ones). Practically
these are "virtualized" and non-physical devices: they can be opened as
windows on a regular pc. The "emulators" solution has on the other hand
considerable benefits: • emulators can be configured
automatically as "rooted" (a procedure that can take time on one
"real phone"), • can be activated and deactivated with a simple click,
• can be set in an extremely effective way • can be
duplicates / multiplied arbitrarily (providing as many SIMs and accounts and having pcs on which to run them) • no battery problem or malfunction or need to buy.
The emulators were "spin" on several PCs and so they could
grind uninterrupted data night and day, 24/24, 7/7. For a few
euro (buying a sim), we could add a new "virtualized device"
to our "account shelter".
ACT AS A USER. COORDINATE: PHONEBOOK + WHATSAPP / VIBER + AVATARS (goal:
collect the avatars and save them to the archive on the NOWISEEYOU server).
Verified that NowISeeYou clients interacted whit NowISeeYou server and
received their quota (phone numbers block) to be included in the address book
you had to choose a strategy to make IM app work to
populate the data that would be collected later (numbers + avatars).
To do this I opted for a strategy of disarming simplicity and that
would turn around any problem: the NOWISEEYOU client would have to behave "as a human", simulating the action of the user.
Because of that NOWISEEYOU has been
developed to be able to:
1. act in the background and
open Whatsapp (or Viber respectively);
2. empty the phonebook;
3. ask the
NOWISEEYOU server the first / next block of phone numbers (eg 200);
4. oad the numbers into the phonebook;
5. pretending "the user" wanted to scroll his contact list and so on.
Simplifying the Process: NOWISEEYOU simulates user touches on the display and
it moves to the section of the IM app's address book, and then appropriately
waits for a latency range and starts to scroll (whatsapp) or scroll and
click (viber) the elements in the contact list, which in the meantime are populated with the numbers (of accounts in their respective accounts
platforms, a subset smaller than those actually
loaded in the phonebook). Once this procedure is completed, NowISeeYou recovers
numbers and avatars collected and sends them to the server; cleans the phonebook and
again. A single virtual device could test just under 100k numbers in
24 hours. As a result, having 10 devices available, the numbers tested in 24h
were just under 1M. Having 100 emulators available...