deen
Menü öffnen

Cortex Media in Melbourne: Effects of online status on WhatsApp&Co

Security analyses with Cortex Media

Last week, the press reported on an Italian student who was able to automatically log the online status of individual WhatsApp users using screenshots from WhatsApp and OCR recognition. A research group from Ulm, which has been working on this topic since the fall of 2013, has now published a paper that shows an even more threatening danger scenario and whose content significantly exceeds previous findings.

Andreas Buchenscheit and his colleagues have shown that the online status for any phone number can be accessed directly on the WhatsApp server. This access is possible even if the so-called “last online” feature has been explicitly deactivated by the user. The group developed a tool that makes it possible to monitor any number of people simultaneously without their knowledge or consent and to seamlessly log the times and duration of active WhatsApp use. However, the aim of the research work was not only to demonstrate the general possibility of this eavesdropping, but also to show what effects this can have on a user’s privacy. These effects are much more far-reaching than previously assumed.

In a study in which the WhatsApp online status of two independent groups of 10 test subjects was recorded and analyzed over a period of four weeks, the researchers from Ulm were able to show that complete usage profiles can be created based on the online status. Metrics were developed to derive extensive information about a person’s daily routine and habits from the data. For example, it is possible to determine when a person gets up in the morning and goes to bed in the evening. A complete record can be kept of whether WhatsApp is used at inappropriate or even prohibited times (e.g. during working or school hours). Employers could monitor employees and check how late their employees are awake at night and thus whether they are fit enough to come to work or have partied until 4:30 am. In one test group, it was even possible to prove that the entire group had attended a student party using the recorded data.

The possibility of deriving a communication pattern from the generated usage profiles presented in the paper is particularly critical. The researchers were able to identify several conversations between the test subjects. This technology can be used in a private environment (“Is my wife chatting with person X?”) or business environment (“Is employee X in contact with person Y?”), but also by states and governments that want to monitor the communication activities and partners of their citizens for political reasons.

This highlights a fundamental problem that is by no means limited to WhatsApp, but in principle affects all modern messengers and communication systems. Supposedly harmless metadata that is carelessly shared or collected often reveals much more about users than they can imagine. Mechanisms to protect this data should therefore be a fundamental part of every system design.

The paper published on Tuesday will be presented at an international conference in Melbourne, Australia, in November (MUM 2014: The International Conference on Mobile and Ubiquitous Multimedia). The research group, which consists of Internet security experts from Cortex Media GmbH in Ulm, as well as scientists from the University of Ulm and Carnegie Mellon University, Pittsburgh, USA, hopes to draw attention to the potential effects of the use of mobile chat apps by publishing the results.

The paper on the study can be found at: https://www.uni-ulm.de/home/uni-aktuell/article/chatdienst-whatsapp-luecken-beim-datenschutz-online-status-gewaehrt-einblicke-in-das-privatleben-der-nutzer-1/

What does the press say?

Press release Uni-Ulm
WhatsApp chat service – gaps in data protection. Online status provides insights into private life

ulm-news.de
Ulm researchers demonstrate far-reaching effects of WhatsApp security vulnerability for users

SWR Landesschau
WhatsApp chat service: Ulm researchers discover security vulnerability

FOCUS online
Whatsapp stalking made easy: software spies on private life

scinexx
WhatsApp reveals users’ private lives

derStandard.at
WhatsApp: Security gap exposes users’ private lives

Südwest Presse
Users spied on: “WhatsApp” more insecure than expected

Augsburger Allgemeine
Ulm researchers uncover data protection gap in Whatsapp

Hannover Zeitung
WhatsApp – Gaps in data protection: Online status provides insights into users’ private lives

crn.de
Messaging app allows eavesdropping: Whatsapp security vulnerability

golem.de
What the online status of messengers like Whatsapp reveals

Hessische/Niedersächsische Allgemeine
What researchers in Ulm found out: Data protection gap in WhatsApp shocks users

Schwäbische Zeitung
Ulm scientists uncover gaps in “Whats App”

Neue Osnabrücker Zeitung
New gap in data protection. Online status on WhatsApp provides insights into private life

Abendzeitung München
Security gap in messenger service. Only with a phone number: stalking on WhatsApp!

tz Munich
What researchers in Ulm found out. WhatsApp data protection gap shocks users

Vorarlberg Online
WhatsApp: Online status provides insights into users’ private lives

Handelsblatt
Whatsapp: What the status reveals. “How’s your day, darling?”

Saarbrücker Zeitung
I know exactly what you did. Online messengers reveal everything about their users’ private lives

MEN’S HEALTH
News Messenger. What WhatsApp knows about your life

Stuttgarter Zeitung
Data protection. WhatsApp makes snooping easy

Südwest Presse
How Ulm scientists uncovered a data protection gap in WhatsApp