This website is also available in German.

News

Second Prize in German IT-Security Award 2020

Christian Weinert, Thomas Schneider, Matthias Senker, Daniel Kales and Christian Rechberger won the second prize in the 8. German IT-Security Award 2020 for their work on mobile private contact discovery. See here for details.

Attacks on WhatsApp, Signal, and Telegram in the News

See https://encrypto.de/news/contact-discovery for an up-to-date press review.

What is Mobile Contact Discovery & Why Should I Care?

Mobile contact discovery allows users of mobile messengers to conveniently connect with people in their address book: newly registered users can instantly start messaging existing contacts based on their phone numbers without exchanging additional information like usernames or email addresses.

Some of the world’s most popular mobile messengers (with billions of users) like WhatsApp perform contact discovery by regularly uploading and storing the users’ entire address books, while more privacy-concerned messengers like Signal transfer only short hashes of phone numbers or rely on trusted hardware. Unfortunately, the low entropy of phone numbers indicates that it is feasible to reverse such hash values and therefore, albeit all good intentions, there is no gain in privacy.

In a research collaboration between TU Darmstadt, TU Graz, and University of Würzburg, we show that currently deployed contact discovery services severely threaten users’ privacy.

Leaking Social Graphs via “Curious” or Compromised Service Providers

Revealing essentially all personal contacts to a service provider is a significant privacy risk and legal challenge, as from the social graph of users a variety of personal information can be inferred. Most importantly, sensitive contact relationships can become known and could be used to scam, discriminate, or blackmail users, harm their reputation, or make them the target of an investigation. Service providers could also be compromised or forced by government agencies to hand out data, resulting in the exposure of such sensitive information.

When installing a mobile messenger, users also jeopardize the privacy of people who are not even connected to the particular service by transmitting their contact information without consent. An illustrative example of a severe breach of privacy can be seen in the case of WhatsApp, which was acquired by Facebook in 2014 and shared its database with the parent company: Facebook users received friend recommendations of strangers who happened to see the same psychiatrists.

Leaking Personal (Meta) Data via Crawling Attacks

Malicious users or hackers might also be interested in extracting information about others. Examples for personal (meta) data commonly stored in a user’s messenger profile include profile picture(s), nickname, status message, and the last time the user was online. By tracking such data over time, it is even possible to build accurate behavior models. Matching accounts with other social networks and publicly available data sources allows third parties to build extremely detailed profiles. From a commercial perspective, such knowledge can be utilized for targeted advertisement or scams. Vicious individuals could furthermore abuse such information for discrimination, blackmailing, or planning a crime, whereas nation states could be interested in closely monitoring or persecuting citizens.

Even the mere fact that a specific phone number is registered with a certain messaging service can be sensitive in many ways, especially when it can be linked to a person. For example, in areas where some services are strictly forbidden, disobeying citizens can be identified and persecuted. Comprehensive databases of phone numbers registered to a particular service can allow attackers to cause harm at a larger scale, e.g., by distributing compromised messages to quickly exploit security vulnerabilities in messaging applications.

Since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for (randomly) chosen phone numbers. Such enumeration attacks cannot be fully prevented, since legitimate users must be able to query the database for contacts. In practice, rate-limiting is a well-established measure to effectively mitigate such attacks at a large scale, and one would assume that service providers apply reasonable limits to protect their platforms.

Our Work towards Mobile Private Contact Discovery

In our line of work, we demonstrate the severity of the privacy threats outlined above in currently deployed contact discovery methods. Moreover, we propose suitable countermeasures to effectively migitage crawling attacks and present efficient cryptographic protocols to privately perform mobile contact discovery while revealing as little information as possible.

Large-Scale Abuse of Mobile Contact Discovery [HWSDS22, HWSDS21]

Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, large-scale crawling attacks are possible. Using an accurate database of mobile phone number prefixes and very few resources, we queried 10% of US mobile phone numbers for WhatsApp and 100% for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.

We present interesting (cross-messenger) usage statistics, which also reveal that very few users change the default privacy settings (which in most cases are not privacy-friendly at all). Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s approach.

Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest. All our methods can reverse hashes of mobile phone numbers within milliseconds.

Responsible Disclosure

We demonstrate methods that allow to invade the privacy of billions of mobile messenger users by using only very few resources. We therefore initiated the official responsible disclosure process with all messengers we investigated (WhatsApp, Signal, and Telegram) and shared our findings to prevent exploitation by maleficent imitators. As a result, WhatsApp has improved their protection mechanisms such that large-scale attacks can be detected, and Signal has reduced the number of possible queries to complicate crawling. Telegram responded to our responsible disclosure by elaborating on additional data scraping countermeasures beyond the rate limits detected by us. They are allegedly triggered when attackers use existing databases of active phone numbers and higher conversion rates than ours occur.

Efficient Private Set Intersection (PSI) for Mobile Contact Discovery [KRSSW19]

The currently most promising approach to privately perform contact discovery without relying on trusted hardware is based on cryptographic protocols for private set intersection (PSI). Such protocols allow users and service providers to find matching contacts while not revealing any information about unrelated entries in the users’ address books or the service providers’ user databases.

Unfortunately, even in a weak security model where clients are assumed to follow the protocol honestly, previous protocols and implementations turned out to be far from practical when used at scale. This is due to their high computation and/or communication complexity as well as lacking optimization for mobile devices.

In our work, we remove most obstacles for large-scale global deployment by significantly improving two promising protocols by Kiss et al. (PoPETS’17) while also allowing for malicious clients and providing optimized implementations for mobile devices. Our fastest protocol privately checks 1000 client contacts against a large-scale database with 250 Million entries in only 2.92s measured on a smartphone via a real WiFi connection and 6.53s via LTE.

We summarize the addressed privacy threats of mobile contact discovery and explain details about our PSI protocols in an easily understandable as well as illustrative video on YouTube.

Publications