The Russia government is determined to intercept and decipher Russian messaging app traffic, and Russian companies are searching for a solution to help law-enforcement agencies gain access to correspondence delivered by WhatsApp, Viber, Facebook Messenger, Telegram and Skype. This is the mandate of the Yarovaya Law that seeks to fight terrorism.

The company Con Certeza, a developer of SORMs (System for Operative Investigative Activities) that monitor communication operators’ networks, is looking for a contractor to decipher traffic in popular instant messaging apps. These include WhatsApp, Viber, Facebook Messenger, Telegram and Skype.

This story broke when the Kommersant daily newspaper gained possession of a copy of a letter between a Con Certeza employee and a technical specialist from a Russian company in the information security field. The authenticity of the email was confirmed by the technical specialist and the information security company’s general director. But Con Certeza did not respond to Kommersant’s questions.

Viber first to go?

“The work will include the following steps: review the main messaging apps such as WhatsApp, Viber, Facebook Messenger, Telegram, Skype for iOS, and Android platforms; prepare expert conclusions for the possibility of intercepting passwords, messages and demonstrating prototypes; and repeat the process but with a Man-In-The-Middle attack (MITM is when the attacker is capable of reading and changing the messages that users exchange – RBTH),” said the Con Certeza employee’s email.

According to the email, two months will be necessary to study one messaging app, and it suggested that Viber be first. The goal is “to prove and argue the impossibility of realizing interception functions on SORMSs,” wrote the Con Certeza official.

The cost for each messaging app is 130,000 rubles (about $2,000) to do the main part of the study, and a 230,000 ruble bonus (about $3,700) if the sender and receiver, or the text, are identified with the help of the MITM.

“I was ready to accept the job if its result could be published, but they refused,” the specialist from the information security company, with whom Con Certeza corresponded, told Kommersant.

“Judging by the description, Con Certeza’s study will concentrate on the possibility of intercepting information between users, and in the event of a successful MITM, the changing of its content,” said Alexander Lyamin, the general director of Qrator Labs.

Hacking a messaging app?

In accordance with the Yarovaya Law, the FSB, the Communications Ministry, and the Ministry of Industry and Trade are discussing a set of technical solutions that can provide access to all Internet traffic.

The company Digital Security said that intercepting encoded traffic, including that from messaging apps using end-to-end encryption, is feasible. Messaging apps exchange the public parts of cryptographic keys that in turn can be changed, which is the key to deciphering them.

“There are technologies that are designed to protect from this type of attack; for example, Key Pinning, which is the linking of specific certificates to a specific website or application. Messaging apps, just like other applications that use Key Pinning such as bank clients, will refuse to work if their user protection certificate is changed,” explained specialists at Digital Security.

Representatives from Viber, Telegram, WhatsApp and Facebook Messenger did not respond to Kommersant’s questions. Microsoft, which owns Skype, declined to comment.

Alexei Lukatsky, an Internet security consultant at Cisco, said that so far it has been impossible to gain mass access to messaging apps traffic.

“That is why claims about the possibility of interception most likely are erroneous,” said Lukatsky.

Lyamin added that gaining access to top messaging apps may cost tens of thousands of dollars on the black market, when using the service of hackers.

First published by Kommersant.

Share this:

Add Comment

Ut tellus dolor, dapibus eget, elementum vel, cursus eleifend, elit. Aenean auctor wisi et urna. Aliquam erat volutpat. Duis ac turpis. Integer rutrum ante eu lacus. Required fields are marked*