WhatsApp messages of military officers involved in Turkey's attempted coup were published by the country's state-run media outlets, prompting questions within Turkey about how the government may have accessed the WhatsApp messages. A Reddit user in Turkey started a thread asking other users on the discussion website “to describe how it can be happened” that WhatsApp messages were obtained by the government despite its implementation of end-to-end-encryption technology this year.
Security professionals are asking similar questions. Alan Duric, CTO at Wire Swiss GmbH, wrote in an email to SCMagazine.com that the messages may have been intercepted through any of several methods, including a “security flaw or backdoor” used by the ruling government. “It is also likely that if anyone was backing up the messages, they may not have done so securely,” he wrote.
The use of WhatsApp for operational security is the result of lack of education of the limits of encrypted messaging services, according to industry pros. “Encryption is not cracked, it is bypassed,” Geoff Green, president and chief executive officer of Myntex, told SCMagazine.com. “They could easily inject code onto the device even if it is encryption protected, then they could watch it as you type.”
Communicating plans for a coup using a communication method that is unencrypted at rest “is extremely poor operational security,” wrote Blackstone Law Group partner Alexander Urbelis, an attorney who worked for the U.S. Army and the Central Intelligence Agency. He noted that the messaging service protects against surveillance but does not protect communications if a “device that contains a correct cryptographic key falls into the wrong hands.”
If Turkish intelligence had compromised WhatsApp's end-to-end encryption, “it is hardly likely the coup would have been as violent, chaotic, or lasted as long as it did,” he added.
The use of device spyware is also possible, especially considering a dramatic rise in the use of malicious code, according to Google's Transparency Report published last week. The report demonstrated “an explosion of malware compromised sites, where malicious software is downloaded onto a computer without the user's knowledge,” wrote Brian NeSmith president and CEO at Arctic Wolf Networks, in an email to SCMagazine.com. “People are now even more at risk of getting infected from just normal day-to-day Internet usage.”
“I suspect Government had physical access to the soldier's phone and 'persuaded' or extorted the soldier to unlock the device,” wrote one user on the Reddit thread.
The Daily Sabah newspaper reported that government officials had physical access to at least one the mobile devices used by military officers involved in planning the coup. The newspaper is owned by a “close associate” of Turkey's president Recep Tayyip Erdoğan and run by Erdogan's son-in-law.
Access to soldiers' devices appear to be likely extraction methods, especially considering the range of “persuasive techniques” the Turkish government has employed in countering the sentiments of coup loyalists. Over the weekend, Amnesty International called for international monitors to observe detention centers in Turkey, citing ”credible reports” of detainees being beaten, tortured, and raped.
“Reports of abuse including beatings and rape in detention are extremely alarming, especially given the scale of detentions that we have seen in the past week,” Amnesty International's Europe director John Dalhuisen stated, in a release on Sunday.
“Government intercepting messages as they are sent is difficult for governments to do,” Lee Reiber, COO at Oxygen Forensics, told SCmagazine.com, noting the information was likely extracted from the device. “That is definitely my suspicion,” he said in speaking with this publication.
This is not the first occasion in which WhatsApp policies have created international implications. A drawn-out battle involving WhatsApp and Brazil's judicial system has unfolded, ultimately working its way to the country's Supreme Court.
Earlier this month, a cryptography Ph.D student wrote that the company appeared to block encrypted calls to WhatsApp accounts associated with Saudi phone numbers by country code, even when the user was not located in Saudi Arabia. “There is technology that can recognize encrypted transmission and block it out,” Reiber told SCMagazine.com. “It is low level to instead block it by country code.”
Duric noted that it is “almost impossible to speculate on WhatsApp's encryption security and/or potential backdoors,” considering that the messaging service does not use an open source infrastructure. “Only WhatsApp can know for sure what happened on the backend with these messages,” Duric wrote.