New Video from @seytonic Highlights Cybersecurity Vulnerabilities in Messaging Apps and WiFi Hacking Case

In this video, the Seytonic channel addresses two major topics related to cybersecurity and digital surveillance, revealing concerning vulnerabilities in widely used messaging applications like WhatsApp and Signal, as well as a notable legal case involving WiFi hacking on an airplane.

The first topic explores a privacy flaw discovered by researchers from the University of Vienna, detailed in their study titled Careless Whisper. This vulnerability allows an attacker to monitor a user's habits simply by exploiting the delivery receipts (read receipts) of messages. Contrary to appearances, these receipts, which indicate that a message has been delivered, are not innocuous. By measuring the time it takes for a message to be delivered, an attacker can deduce precise information about the victim: whether their phone is locked, unlocked, or if the application is open, as well as the model of their device (Apple, Samsung, Xiaomi, etc.), whether they are connected to WiFi or mobile data, and even if they are making a call. To carry out this attack, it is sufficient to know the target's phone number and send reactions (reactions) to non-existent messages, a technique that does not trigger any notifications and remains completely invisible to the user. WhatsApp, unlike Signal, does not limit the number of reactions sent, allowing a device to be flooded at a rate of 20 reactions per second. This can not only enable intrusive surveillance but also lead to excessive data consumption (up to 13 GB per hour) and rapid battery drain (up to 18% per hour). The researchers emphasize that these delivery receipts cannot be disabled, as they are essential to the functioning of the applications. They have also demonstrated that this method can be used to map a person's movements throughout the day by observing when their devices (phone, computer, tablet) are active. For example, if an attacker notices that the victim's PC turns on at 9 am and turns off at 5 pm, they can deduce that the person is likely at work during those hours. Worse still, this technique can reveal links between multiple targets: if two people have WhatsApp open at the same time repeatedly, it can be assumed that they are communicating with each other.

The companies concerned, Meta (owner of WhatsApp) and Signal, were informed of this vulnerability in September 2024, but their response was disappointing. Meta simply acknowledged receipt of the report before forwarding it to the relevant team a year later, without providing any concrete follow-up. Signal, on the other hand, never responded. To protect themselves, Signal users can enable privacy settings related to phone numbers, while WhatsApp has recently introduced an option to block bulk messages from unknown accounts. However, it is unknown whether this measure is effective against attacks using invisible reactions.

The second topic of the video discusses a legal case in Australia, where a 44-year-old man was sentenced to 7 years and 4 months in prison for hacking an airplane's WiFi. The incident began when an airline employee noticed a suspicious WiFi network on board, mimicking the plane's network but offering free access in exchange for a connection via social networks. It was actually an Evil Twin, a classic attack where a hacker creates a fake access point to steal users' credentials. After landing, the police searched the passengers' luggage and found the culprit's device, a specialized WiFi hacking tool. Investigations revealed that this was not his first attempt: he had carried out similar attacks on other flights and in airports. His goal? To steal social media account credentials, particularly those of women, to spy on their communications and collect intimate images. The police discovered thousands of such files on his devices. To make matters worse, the man attempted to delete evidence by erasing his cloud data and trying to remotely format his phone, which resulted in additional charges. He also spied on confidential meetings between the police and his employer, although the details of this part of the case remain unclear. This case highlights the dangers of public WiFi networks, especially when they request sensitive information such as social media credentials. Australian authorities have incorrectly emphasized that using a VPN could protect against this type of attack, whereas in reality, a VPN only encrypts traffic and does not protect against fake access points.

This video sheds light on risks often underestimated by users, whether it be passive surveillance via seemingly harmless features like read receipts or more direct attacks like the Evil Twin. It underscores the importance of remaining vigilant, even on applications considered secure, and taking measures to limit exposure to digital threats. For those wishing to delve deeper into the subject, the researchers from the University of Vienna presented their work at a Defcon conference, and the video provides useful links in the description.