Exactly how those media reports about WhatsApp terrorists happened

So Home Secretary Amber Rudd went on t’telly and continued trying to jawbone some sort of privileged access to WhatsApp messages. In the process she also:

called on “people who understand the technology” and know “the necessary hashtags” to stop extremist material being uploaded to the internet.

Anyway. This was all in aid of Friday’s Parliament Square terrorist attack and the supposed news that attacker Khalid Masood received(or sent – it’s not clear) a message from someone shortly before the crime. OK then. If they can’t defeat WhatsApp encryption, how did they know? Two possibilities offer themselves. Either the other party to the conversation told the police, in which case they already have all the messages that party exchanged with Masood, or else the police managed to access Masood’s phone after the attack, in which case they have all his WhatsApp messages and much, much more besides.

There are numerous ways to get into a seized device; the police could have used the now-famous Cellebrite hardware attack tool, but on the other hand, they might have guessed a password or perhaps there wasn’t even one set. Masood doesn’t sound like someone who had his shit in one sock, to say the least. Perhaps the phone was unlocked for some reason – like capturing video of the attack for publicity purposes – at the time and they grabbed it and downloaded everything quick-smart. Scotland Yard actually staged a fake mugging of a wanted fraudster while he was on a call recently, so I’d consider that option quite likely. Wilder options are available – dust it for fingerprints and 3D print the index finger, then try the fingerprint reader, anyone? Physically shove the guy’s hand onto it? And it’s possible the message showed up after the attack, while the device was in police hands. In short, it’s a general information security principle that anyone who has physical access to your machine can probably get at your data.

Clearly, then, this was just an exercise in pushing a long-standing Home Office want-want while the bodies weren’t too chilly. They didn’t need a backdoor, because they had the information anyway.

But there’s a little more to the story than that. It turns out the police were investigating “media reports” he contacted someone. So where did the media hear this? Again, it’s possible that someone in the Home Office cynically briefed the papers so the minister could then respond to the coverage. It’s also possible that a journalist found out the old-fashioned way – they were all over Masood’s relatives within hours of his name hitting the wires, and it’s their job to find things out. So what was this “media report”?

The answer is probably this Daily Hell piece. The paper produces what it says is a screenshot of a WhatsApp client showing the contact “Khalid” as “last seen at 2.37pm”. The text suggests (although it doesn’t say) that the paper knows his phone number. Adding his number as a contact would produce the screenshot, with a “last seen” time determined as per this WhatsApp FAQ page:

Online status means that contact has WhatsApp open in the foreground on their device and is connected to the internet.

This is a valid way to determine if a given phone number is associated with a WhatsApp ID and that ID is operational. After all, you can do it to the home secretary. Nobody, however, thinks that’s evidence she’s taking orders from Buzzfeed. Meanwhile, I recommend this piece from Stephen Bush.

2 Comments on "Exactly how those media reports about WhatsApp terrorists happened"

  1. Interesting. Though the WhatsApp status timestamp explains well the police/media comments, note too that the Investigatory Powers Act 2016 could require mobile operators to retain the timestamp of internet connections, via logging TCP/IP for IP address or HTTPS cleartext SNI for domain name.

    Fixed link to BBC article about Met “mugging”: http://www.bbc.co.uk/news/uk-38183819 (broken link had a spurious “2” appended).


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.