WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks

Apr 13, 2023Ravie LakshmananMobile Security / Privacy

Popular instant messaging app WhatsApp on Thursday announced a
new account verification feature that ensures that malware running
on a user’s mobile device doesn’t impact their account.

“Mobile device malware is one of the biggest threats to people’s
privacy and security today because it can take advantage of your
phone without your permission and use your WhatsApp to send
unwanted messages,” the Meta-owned company said^[1]
in an announcement.

Called Device Verification^[2], the security measure is
designed to help prevent account takeover (ATO) attacks by blocking
the threat actor’s connection and allowing the target to use the
app without any interruption.

In other words, the goal is to deter attackers’ use of malware
to steal authentication keys and hijack victim accounts, and
subsequently impersonate them to distribute spam and phishing
links.

This, in turn, is achieved by introducing a security-token
that’s stored locally on the device, a cryptographic nonce to
identify if a WhatsApp client is contacting the server to retrieve
incoming messages, and an authentication-challenge that acts as an
“invisible ping” from the server to a user’s device.

The client is required to send the security-token every time it
connects to the server. The security-token, for its part, is
updated every time it fetches an offline message from the
server.

An authentication-challenge is considered a failure when the
client responds to the challenge from a different device,
indicating an anomalous connection originating from an attacker.
This causes the connection to be blocked.

Should there be no response from the client, the process is
retried a “few more times,” after which the connection will be
blocked if the client still doesn’t respond.

WhatsApp said Device Verification has been rolled out to all
Android users and that it’s in the process of being rolled out to
iOS users.

The feature is part of a broader set of new enhancements that
are designed to authenticate and verify users’ identities,
including displaying alerts when there is an attempt to migrate a
WhatsApp account from one device to another.

Also launched by WhatsApp is a “Key Transparency^[3]” feature to
automatically confirm whether chats are end-to-end encrypted
without requiring any additional actions from the user.

To do so, it’s implementing a new Auditable Key Directory
(AKD^[4]) that’s based on
existing protocols like CONIKS^[5] and SEEMless^[6] to help users verify
their conversation security.

“The AKD will enable WhatsApp clients to automatically validate
that a user’s encryption key is genuine and enables anyone to
verify audit-proofs of the directory’s correctness,” the company
said.

Verification currently requires^[8]
users in a chat to manually compare the security code (which exists
as a QR code and a 60-digit number) by sending it to the
participant on the other end via SMS or email, or alternatively by
scanning the QR code if the parties are physically next to each
other.

The security code is nothing but a unique hash of both the
public/private key pair that’s generated to facilitate end-to-end
encrypted messaging. It can change^[9] when users switch
devices or reinstall WhatsApp.

Key Transparency streamlines the verification process by making
use of an automated flow that maintains a record of public key
changes in a directory, thereby allowing a client to check against
it.

WhatsApp intends to make this feature live in the coming months,
although it’s already hosting and operating an Auditable Key
Directory of all its users. “This is an important mechanism that
empowers security-conscious users to verify an end-to-end encrypted
personal conversation quickly,” the company added.