{"id":784,"date":"2023-11-08T14:00:29","date_gmt":"2023-11-08T14:00:29","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2023\/11\/08\/enhancing-the-security-of-whatsapp-calls\/"},"modified":"2023-11-08T14:00:29","modified_gmt":"2023-11-08T14:00:29","slug":"enhancing-the-security-of-whatsapp-calls","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2023\/11\/08\/enhancing-the-security-of-whatsapp-calls\/","title":{"rendered":"Enhancing the security of WhatsApp calls"},"content":{"rendered":"

New optional features in WhatsApp have helped make calling on WhatsApp more secure.<\/span>
\n\u201cSilence Unknown Callers\u201d is a new setting on WhatsApp that not only quiets annoying calls but also blocks sophisticated cyber attacks.<\/span>
\n\u201cProtect IP Address in Calls\u201d is a new setting on WhatsApp that helps hide your location from other parties on the call.<\/span><\/p>\n

Privacy and security are at the core of WhatsApp. In addition to protecting personal messages with end-to-end encryption, WhatsApp empowers users to control their own privacy settings: from what you share, how you show up online, or who can reach out to you or add you to groups.<\/span><\/p>\n

In June 2023, WhatsApp <\/span>announced<\/span> an additional privacy feature: Silence Unknown Callers.<\/a> We launched\u00a0 this feature for the benefits it has for not only privacy but also security. The experience is simple: with the setting turned on, calls from unknown numbers do not ring your phone. Having carefully built this feature to minimize attack surface and external data processing, we are able to help protect users from not only unwanted contact, but also cyber attacks and spyware.<\/span><\/p>\n

Then in October 2023, WhatsApp began rolling out \u201cProtect IP Address in Calls\u201d which hides your IP from the other party by relaying calls through WhatsApp Servers.\u00a0<\/span><\/p>\n

Stop cyber attacks and hackers with \u201cSilence Unknown Callers\u201d<\/span><\/h2>\n

Across the software industry, calling products are an attractive vector for cyber attacks. Popular software projects in this space, such as <\/span>WebRTC<\/span><\/a> and <\/span>PJSIP<\/span><\/a>, have documented numerous vulnerabilities. Because of the complexity and large number of protocols involved, attackers have many opportunities to find a bug to exploit. Furthermore, calling software often automatically processes incoming packets from callers to optimize call setup and improve performance. This means calling vulnerabilities can often lead to \u201czero-click\u201d attacks; the victim may not need to even accept the call for the attack to succeed.<\/span><\/p>\n

In most calling products, devices exchange information and setup state without user interaction.<\/p>\n

Many calling products offer ways to silence calls. However, traditional methods of silencing retain the same network protocols and message flow of a normal call which merely silences the call on the recipient\u2019s device. This leaves many risks for call recipients unmitigated.<\/span><\/p>\n

The recipient\u2019s device may still perform complicated processing of attacker-controlled data<\/span>
\nThis gives an attacker ways to load data into the recipient\u2019s memory\u00a0<\/span>
\nThe recipient may leak device information back to the attacker to increase exploit delivery reliability<\/span><\/p>\n

One could attempt to mitigate these risks by adding state machines, firewalls, and sandboxes on the recipient. However, there are <\/span>many<\/span> examples<\/span><\/a> in the industry of these techniques failing to protect users<\/a>.<\/span><\/p>\n

Instead, WhatsApp built a specialized protocol for delivering stripped-down, silenced call notifications to recipients. The server enforces this protocol, protecting the recipient device from the complexity of normal call setup and from processing attacker-controlled data.<\/span><\/p>\n

Our implementation of silenced calls, with WhatsApp servers enforcing separation.<\/p>\n

This approach took more effort than a client-only method. How can the server know if the call should be silenced without asking the recipient? In end-to-end encrypted messengers like WhatsApp, clients are the source of truth. We don\u2019t keep logs of who everyone is messaging or calling: While traditionally mobile carriers and operators store this information, we believe that keeping these records for two billion users would be both a privacy and security risk and we don\u2019t do it.\u00a0<\/span><\/p>\n

WhatsApp developed a new technology, named privacy tokens, to solve this problem. Each client locally decides which other user it trusts and distributes tokens to them. When a call is placed, the caller includes the privacy token of the recipient in the protocol message. Next, the server checks the token\u2019s validity along with a few other factors to determine if the intended recipient allows this sender to ring them. Crucially, for our user\u2019s privacy, the server does not learn anything about the exact relationship between the caller and the recipient from the token.<\/span><\/p>\n

With our design of this feature, calling becomes a much less attractive vector for attackers.<\/span><\/p>\n

Protect your IP address metadata in calls<\/span><\/h2>\n

Two common methods of connecting call participants: peer-to-peer and via a relay.<\/p>\n

Most calling products people use today have peer-to-peer connections between participants. This direct connection allows for faster data transfers and better call quality, but it also means that participants need to know each other\u2019s IP addresses so that call data packets can be delivered to the correct device \u2013 meaning that the IP addresses are visible to both callers on a 1:1 call. IP addresses may contain information that some of our most privacy-conscious users are mindful of, such as broad geographical location or internet provider.<\/span><\/p>\n

To address this concern, we introduced a new feature on WhatsApp that allows you to protect your IP address during calls. With this feature enabled, all your calls will be relayed through WhatsApp\u2019s servers, ensuring that other parties in the call cannot see your IP address and subsequently deduce your general geographical location. This new feature provides an additional layer of privacy and security particularly geared towards our most privacy-conscious users. As always, your calls are end-to-end encrypted, so even if a call is relayed through WhatsApp servers, WhatsApp cannot listen to your calls.<\/span><\/p>\n

Visit the WhatsApp Help Center<\/a> learn more about this feature \u2013 which is being rolled out currently to iOS and Android users \u2013 and how to activate it<\/a>.<\/span><\/p>\n

Conclusion<\/span><\/h2>\n

WhatsApp built and launched \u201cSilence Unknown Callers\u201d and \u201cProtect IP Address in Calls\u201d this year as part of our ongoing comprehensive work to keep users safe. These features respect and improve user privacy while also reducing the effectiveness of real-world attacks.<\/span><\/p>\n

Protecting user privacy and security is absolutely necessary for WhatsApp to accomplish its mission to enable private communication for the world. These new security features combine with many other protections to keep people safe on WhatsApp.<\/span><\/p>\n

The post Enhancing the security of WhatsApp calls<\/a> appeared first on Engineering at Meta<\/a>.<\/p>\n

Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"

New optional features in WhatsApp have helped make calling on WhatsApp more secure. \u201cSilence Unknown Callers\u201d is a new setting on WhatsApp that not only quiets annoying calls but also blocks sophisticated cyber attacks. \u201cProtect IP Address in Calls\u201d is a new setting on WhatsApp that helps hide your location from other parties on the… Continue reading Enhancing the security of WhatsApp calls<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-784","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":331,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/how-whatsapp-enables-multi-device-capability\/","url_meta":{"origin":784,"position":0},"title":"How WhatsApp enables multi-device capability","date":"August 31, 2021","format":false,"excerpt":"For years, people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection. Today, we\u2019re announcing the rollout of a limited public beta test for WhatsApp\u2019s updated multi-device capability.\u00a0 With this new capability, you can now\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":702,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/","url_meta":{"origin":784,"position":1},"title":"How Device Verification protects your WhatsApp account","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware. This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account. This feature is part of our broader work to increase security for our\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":833,"url":"https:\/\/fde.cat\/index.php\/2024\/03\/06\/making-messaging-interoperability-with-third-parties-safe-for-users-in-europe\/","url_meta":{"origin":784,"position":2},"title":"Making messaging interoperability with third parties safe for users in Europe","date":"March 6, 2024","format":false,"excerpt":"To comply with a new EU law, the Digital Markets Act (DMA), which comes into force on March 7th, we\u2019ve made major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services.\u00a0 We\u2019re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":701,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/deploying-key-transparency-at-whatsapp\/","url_meta":{"origin":784,"position":3},"title":"Deploying key transparency at WhatsApp","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.\u00a0 The feature requires no additional actions or steps from users and helps ensure that a conversation is secure.\u00a0 Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":462,"url":"https:\/\/fde.cat\/index.php\/2021\/09\/20\/how-whatsapp-is-enabling-end-to-end-encrypted-backups\/","url_meta":{"origin":784,"position":4},"title":"How WhatsApp is enabling end-to-end encrypted backups","date":"September 20, 2021","format":false,"excerpt":"For years, in order to safeguard the privacy of people\u2019s messages, WhatsApp has provided end-to-end encryption by default \u200b\u200bso messages can be seen only by the sender and recipient, and no one in between. Now, we\u2019re planning to give people the option to protect their WhatsApp backups using end-to-end encryption\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":551,"url":"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/","url_meta":{"origin":784,"position":5},"title":"Code Verify: An open source browser extension for verifying code authenticity on the web","date":"March 10, 2022","format":false,"excerpt":"Since WhatsApp introduced multi-device capability last year, we\u2019ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we\u2019ve been looking at ways to add additional layers of security to the WhatsApp Web experience. Starting today, you can now use\u2026","rel":"","context":"In "Technology"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=784"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/784\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}