An Israeli spy tech firm has been found privately marketing unparalleled surveillance software, according to reports. The firm claims that when in close proximity of phones, it can comprehensively extract data from WhatsApp chats, including contents of encrypted messages, via a Wi-Fi powered device.
The surveillance tech, called CatchApp was uncovered when Haifa-based intelligence and security firm Wintego's marketing brochures were leaked by an anonymous source to Forbes. The documents revealed that CatchApp used MITM (man-in-the-middle) attacks to siphon off data from a target's WhatsApp account. The leaked brochures also claim that the spy tech "provides complete access to all of a target's WhatsApp content".
According to the anonymous source, the leaked brochures were being handed out at a policing event earlier in the year. The firm's CatchApp-powered hacking device called WINT, which is believed to be small enough to fit into a backpack, also allegedly works on the most recent versions of WhatsApp. Wintego claims WINT's size and surveillance abilities make it ideal for covert operations.
Other leaked brochures obtained by Forbes claim that WINT's "data extraction solution" can access "the entire contents of your targets' email accounts, chat sessions, social network profiles, detailed contact lists, year-by-year calendars, files, photos, web browsing activity, and more". The device allegedly obtains users' login credentials and proceeds to surreptitiously download "all the data stored therein".
The device is also touted to be capable of overriding "the encryption and security measures of many web accounts and apps", allowing it to gain access to user credentials. In the case of communication apps like WhatsApp, Telegram, Google Allo, Facebook Messenger, which do not require users to enter log-in credentials when accessing the apps, the WINT can pilfer "secured data right from the apps".
However, no substantial evidence has been provided about how the firm's products and services go about bypassing WhatsApp encryption and security to access user data. Security experts cast considerable doubt about Wintego's products' advertised surveillance capabilities.
According to cryptography expert Matthew Green, who is currently an assistant professor at the Johns Hopkins Information Security Institute, Wintego's product may not be successful in cracking WhatsApp's latest cryptography.
"They would have to defeat both the encryption to and from the server and the end-to-end Signal encryption. That does not seem feasible at all, even with a Wi-Fi access point," he said.
"I would bet mundanely the password stuff is just plain phishing. You go to some site, it asks for your Google account, you type it in without looking closely at the address bar. But the WhatsApp stuff manifestly should not be vulnerable like that."