EE Seminar: Loose Ends: The Downsides of Instant Messengers End-to-End-Encryption (E2EE)
הרישום לסמינר יבוצע באמצעות סריקת הברקוד למודל (יש להיכנס לפני כן למודל, לא באמצעות האפליקציה) - )- הרישום מסתיים ב- 13:10
Registration to the seminar will be done by scanning the barcode for the Moodle (Please enter ahead to the Moodle, NOT by application)- Registration ends at 13:10
(The talk will be given in English)
Speaker: Tal Be'ery
Co-Founder and CTO of ZenGo
|
011 hall, Electrical Engineering-Kitot Building |
Monday, June 16th, 2025
13:00 - 14:00
|
|
Loose Ends: The Downsides of Instant Messengers End-to-End-Encryption (E2EE)
Abstract
End-to-End Encryption (E2EE) is widely regarded as a cornerstone of modern Instant Messaging (IM) privacy. By including the server in its threat model, E2EE prevents servers from accessing the content of messages. However, this approach also limits the server's ability to protect honest users on one side of a conversation from malicious actors on the other.
In this talk, we will present our research, which identifies several attack vectors that exploit the "server blindness" introduced by E2EE. These vulnerabilities are particularly relevant in the context of Meta’s WhatsApp, the world’s most popular IM application. We will also propose innovative solutions to address or mitigate these issues.
Our research highlights previously unexplored attack vectors that leverage E2EE-induced server blindness. These include:
Rogue receivers: Exploiting the absence of server buffering to compromise sender privacy at both the transport and application layers.
Rogue senders: Taking advantage of the lack of server oversight to violate receiver privacy and message integrity by delivering different versions of the same message to multiple devices.
We responsibly disclosed our findings to WhatsApp, resulting in several fixes and bounty rewards.
Additionally, we will discuss how WhatsApp’s partial deviation from ideal E2EE—by maintaining some server visibility through metadata—enables it to counter Advanced Persistent Threat (APT) zero-day exploits. To further enhance security, we propose a metadata-based defensive approach at the application layer and a novel extension to Signal’s E2EE Sesame pro.
Short Bio
Tal Be'ery is the Co-Founder and CTO of ZenGo, securing crypto assets with the ZenGo Wallet mobile app. Tal is a cyber-security researcher, returning speaker in the industry's most prestigious events, including Black Hat and RSAC and a member of Facebook's exclusive WhiteHat list. For the last two decades, Tal had built and led a few Cyber-Security R&D teams, mostly in the field of network monitoring solving various security problems. Previously, Tal has led research for Aorato (acquired by Microsoft) as VP for Research. Tal holds M.Sc. and B.Sc degrees in CSEE from TAU and a CISSP certification.
