Facebook-owned messaging service WhatsApp has answered all those who had been doubting the media coverage of the drugs angle in the probe into Sushant Singh Rajput’s mysterious death and asking how encrypted messages could go to the press. WhatsApp asserted that the user chats are safe and cannot be accessed by any third party.
The company, while issuing predictable statements like corporate communicators, failed to account for the access to messages from actresses Deepika Padukone — facing interrogation as this report is being filed — Shraddha Kapoor and Rhea Chakraborty before them that Narcotics Control Bureau (NCB) managed to gain, The company said that WhatsApp used end-to-end encryption for chats so that only the participants of that particular chat would be able to see the interaction. It said even employees of WhatsApp couldn’t access the messages of users.
Messages dated 2017 from the actresses named above were the basis of the NCB probe into their alleged drug dealings. They all had chatted with ‘talent agent’ Jaya Saha, who was Sushant’s associate too, at some point or the other. This left users concerned about the security of their WhatsApp data that now looks accessible to third parties.
WhatsApp ‘leak’ explained
Operating system manufacturers guide WhatsApp to undertake on-device storage, the company says. It urged users to use all the security features that operating systems provide — especially strong passwords and biometric IDs. It claimed this would check third-party access. What the company did not say is the following.
The NCB is most likely to have accessed the chats using mobile phone cloning. This technique has been in India for at least 15 years.
By phone cloning, a hacker transfers or copies data and the cellular identity of the targeted phone to a new device. If an individual does this, he/she can be booked for cybercrime. However, the state (any government agency) is entitled to use the method, as the Indian law governing forensic examinations make it a legitimate exercise.
Cloning of phones can also transfer the International Mobile Station Equipment Identity (IMEI) number of the original phone to the new one. Thus, even the trusted IMEI is no foolproof measure against data theft.
The agency uses its staffers’ programming skills to copy the entire data of one device to another in a matter of minutes. With the advent of smartphones, even physical access to the phone the agency is targeting is not required. A single app can execute the process.
Once the cloning process is over, the agency accesses the user’s WhatsApp chat backup through Google Drive for Android phones and from iCloud for iPhone users. Readers may note that on the phone, the WhatsApp chats are encrypted, and end-to-end encryption is done for the transmission process, but WhatsApp does not encrypt chat backups.
When a phone number is used to sign in to WhatsApp, the platform sends a verification code to the phone number SMS or phone call, which would theoretically be received by the cloned SIM. Apart from that, two-step verification can also be set up by users to prevent such an abuse.
Three ethical hackers explained the process above under the condition of anonymity.
The reporter is a software engineer