DEF CON 33 - Exploiting Security Side Channels in E2E Encrypted Msngrs - G Gegenheuber, M Gunther скачать в хорошем качестве

DEF CON 33 - Exploiting Security Side Channels in E2E Encrypted Msngrs - G Gegenheuber, M Gunther

With billions of users worldwide, mobile messaging apps like WhatsApp and Signal have become critical for personal and professional communication. While these platforms promise security and privacy, our research uncovers two significant vulnerabilities that expose users to stealthy tracking and security degradation. First, we reveal how delivery receipts -commonly used to confirm message delivery- can be exploited to track a user's online status, screen activity, and device usage without their knowledge. This technique enables passive surveillance, draining a target's battery and data allowance while remaining entirely invisible to them. Second, we demonstrate a novel attack on WhatsApp's implementation of the Signal Protocol, specifically targeting its Perfect Forward Secrecy (PFS) mechanism. By depleting a victim's stash of ephemeral encryption keys, an attacker can weaken message security, disrupt communication, and exploit flaws in the prekey refilling process. Both attacks require nothing more than the victim's phone number and leverage fundamental design choices in these widely used platforms. This talk will provide an in-depth analysis of these vulnerabilities, their implications, and potential mitigations -- challenging the security assumptions of modern encrypted messaging.