WhatsApp decryption is essential for the law enforcement since due to its popularity and extremely tough security it is a common choice among the criminals. However, the need for WhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own communications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device we no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp’ own stand-alone cloud backup system is the more reliable choice compared to pretty much everything else.

Elcomsoft Explorer for WhatsApp (www.elcomsoft.com/exwa.html) can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive. So you can circumvent the encryption and gain access to iCloud-stored encrypted messages, if you have access to the user’s SIM card with a verified phone number.

Background

WhatsApp v.2.16.17 was released in December 2016. In this build, the company started encrypting its stand-alone backups stored in iCloud Drive, instantly rendering existing extraction methods ineffective. Before the change, Elcomsoft Explorer for WhatsApp could be used to successfully access WhatsApp chat archives by logging in to the user’s iCloud account using their valid authentication credential. WhatsApp encryption dropped a significant roadblock, effectively preventing this practice and only allowing WhatsApp extraction from iOS system backups (local and iCloud-based).

How It Works

Since last year, both manual and daily stand-alone backups stored by WhatsApp in iCloud Drive are automatically encrypted. The encryption key, generated by WhatsApp when the user makes a backup for the first time, is unique per each combination of Apple ID and phone number. Different encryption keys are generated for different phone numbers registered on the same Apple ID. These encryption keys are generated and stored server-side by WhatsApp itself; they are never stored in iCloud, and they cannot be extracted from the device.

Elcomsoft Explorer for WhatsApp gains the ability to generate encryption keys for WhatsApp’s iCloud backups, successfully bypassing encryption and gaining access to WhatsApp conversation history and underlying messages. In order to generate the encryption key, experts must be able to receive a WhatsApp verification code sent to the phone number for which a given backup was created. In addition, the user’s Apple ID and password (or binary authentication token) are required to gain access to the backup itself.

By using the associated phone number and iCloud authentication credentials, Elcomsoft Explorer for WhatsApp initiates the process of registering itself as a new “device” with WhatsApp. After passing the verification process, the tool can request the encryption from WhatsApp and use that key for decrypting the backup.

The decryption key received by Elcomsoft Explorer for WhatsApp is permanent and does not change even if the user changes their Apple ID password. The decryption key remains valid even after re-authenticating WhatsApp with the same phone number and Apple ID. The same key can be used to decrypt older backups created before the key was retrieved.

Elcomsoft Explorer for WhatsApp employs a smart workaround for processing WhatsApp extraction from iCloud. In order to generate an encryption key, do the following:
1. In Elcomsoft Explorer for WhatsApp, observe 2 green icons “iOS” and “Android” in the bottom left part of the main window. Click on the iOS icon.
2. Click on the iOS icon again. Select “Download files from iCloud Drive” from the menu.
3. If the Apple ID account has two-factor authentication, you’ll be prompted for a code. Enter it.
4. The downloading process begins. It may take a while.
5. Once the download completes, you’ll see a message that warns that the data is encrypted.
6. You can use the Decrypt option to instantly decrypt data. Or you may click Open to have data loaded into the viewer. At this time, you can only access media files; text conversations are still encrypted.
7. If you attempt to access encrypted data, you’ll be prompted for a code.
8. Click Send to request a code. It will be delivered to the phone number. Enter the code into the “Verification code” box.
9. Once the correct code is entered, the data is instantly decrypted. If you have other encrypted data, click on the lock sign to instantly decrypt. Newly downloaded data will be decrypted automatically.

Cloud backups remain one of the few vectors of attack allowing to remotely access WhatsApp communication history. If you have cloud backups enabled in WhatsApp and your iPhone is suddenly de-registered from your WhatsApp account, watch out as someone could have accessed your data. As always, we recommend activating two-factor authentication to protect your Apple ID.