Plus: China’s Volt Typhoon hackers lurked in US systems for years, the Biden administration’s crackdown on spyware vendors ramps up, and a new pro-Beijing disinformation campaign gets exposed.

Documents exclusively obtained by WIRED reveal that AI surveillance software tracked thousands of people using the London Underground to detect crime or unsafe situations. The machine learning software scoured live CCTV footage to spot aggressive behavior, weapons being brandished, and people dodging fares. The documents also detail errors made during the trial—for instance, mistakenly identifying children walking with their parents as fare evaders.

Meanwhile, on Wednesday, cryptocurrency tracing firm Chainalysis published a report finding ransomware payments in 2023 reached over $1.1 billion, the highest annual total ever recorded. The record-breaking sum of extorted funds was due to two things: the high number of ransomware attacks and the amount of money that hackers were demanding from victims, many of whom were targeted specifically for their ability to pay and their inability to sustain a prolonged disruption of services.

A tech company, notorious for keeping websites with far-right and other extreme content online, was bought last year by a secretive company whose business is to help set up businesses, often in ways that keep details of those companies secret, WIRED reported on Thursday. Registered Agents Inc.’s acquisition of Epik may allow the shadowy company to provide its customers with another layer of anonymity.

For the past month, senior security reporter Matt Burgess has been transitioning away from using passwords to log in to his hundreds of online accounts. Instead, he’s using passkeys, a more secure form of authentication that uses generated codes stored on your device to log in to websites and apps using a biometric identifier like a fingerprint, face scan, or PIN. When it works, it’s seamless and secure. When it doesn’t, it’s a mess.

WhatsApp is developing a feature to allow its users to message across apps, all while maintaining its secure end-to-end encryption. In theory, the move would allow users to chat with people on WhatsApp using apps like Signal or Telegram. It’s unclear which companies, if any, will link their services with WhatsApp.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Hackers have, in the real world, caused blackouts, set fire to a steel mill, and released worms that took down medical record systems in hospitals across the US and the UK. So it hardly seems necessary to invent new nightmares about them taking over our toothbrushes.

Yet, when the Swiss newspaper _Aargauer Zeitung_ published a story that cybercriminals had infected 3 million internet-connected toothbrushes with malware, then used them to launch a cyberattack that downed a website for four hours and caused millions of dollars in damage, the tale was somehow irresistible. This week, news outlets around the world picked up the story, which quoted the cybersecurity firm Fortinet as its source, spinning it out as the perfect illustration of how hackers can exploit the most mundane technology for epic malevolence. “This example, which seems like a Hollywood scenario, actually happened,” the Swiss newspaper wrote.

Except, of course, it didn’t. Cybersecurity professionals quickly started to point out that the story was unsupported by any evidence—and was somewhat absurd on its face. (Even the Mirai botnet, which knocked out its targets with record-breaking tsunamis of junk traffic and eventually broke a large fraction of the internet, infected only 650,000 internet-connected devices at its peak.)

Fortinet belatedly sought to correct the record, writing in public statements that “it appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.” But the _Aargauer Zeitung_ pointed the finger back at Fortinet, noting in a follow-up story that Fortinet provided exact details of the dental doomsday it described as real, and that the company even reviewed the text of the article prior to publication. Regardless of who’s to blame, at least this cyber urban legend has inspired some solid meme content.

Back to more factual cyber doomsday headlines: The US Federal Bureau of Investigation, National Security Agency, and Cybersecurity and Infrastructure Security Agency this week warned in a report that China’s hacker group known as Volt Typhoon had quietly maintained access to some US critical infrastructure networks for as long as half a decade. The report included detailed descriptions of the intrusion and persistence techniques used by the group, which has distinguished itself as perhaps China’s most aggressive state-sponsored hacking force. Volt Typhoon’s broad penetration of US electric grids, transportation networks, and other critical infrastructure has raised alarms among US federal agencies since as early as May of last year, when those agencies began to warn that the group appeared to be laying the groundwork for cyberwar-style attacks in the midst of any future conflict. Now it’s clear that those warnings came only years after the hackers’ sabotage preparations were well underway.

The Biden administration announced that it will restrict the visas of foreign sellers of commercial spyware, potentially preventing executives or associates of those surveillance firms from traveling to the US. The new regulation is part of the White House’s slow tightening of the screws on spyware seller firms like NSO Group, Cytrox, Intellexa, and Candiru, after an earlier move to place those firms on a Commerce Department trade blocklist and prevent US government agencies from buying those hacking firms’ tools. On the day of the announcement, Google released its own detailed report on alleged commercial spyware vendors, calling out a dozen of the companies by name and offering policy recommendations for protecting users.

Citizen Lab this week exposed a vast network of Chinese websites posing as local news sites across the globe, all used to post pro-Beijing disinformation and propaganda. The 123 sites, targeting audiences in more than 30 countries in Europe, Asia, and Latin America, mixed innocuous commercial and cut-and-pasted content with anti-Western conspiracy theories, such as allegations of human experimentation carried out by the United States in Southeast Asia, and targeted attacks on critics of the Chinese government. While the visibility and impact of the influence operation has been “negligible,” according to Citizen Lab, it’s another sign of China’s growing efforts to wield disinformation as a soft power tactic.

How 3 Million ‘Hacked’ Toothbrushes Became a Cyber Urban Legend

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.
The exact initial access pathway used to propagate the implant is currently not known, although

macOS Malware / Cyber Threat

Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.

The backdoor, codenamed **RustDoor** by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.

The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files.

Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.

Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.

The captured information is then exfiltrated to a command-and-control (C2) server.

The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.

"ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model," security researcher Andrei Lapusneau said.

In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices

Red Hat Security Advisory 2024-0760-03 - An update for the container-tools:3.0 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0760.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:3.0 security updateAdvisory ID:        RHSA-2024:0760-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0760Issue date:         2024-02-09Revision:           03CVE Names:          CVE-2024-21626====================================================================Summary: An update for the container-tools:3.0 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* runc: file descriptor leak (CVE-2024-21626)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21626References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2024-001https://bugzilla.redhat.com/show_bug.cgi?id=2258725

Red Hat Security Advisory 2024-0760-03

Red Hat Security Advisory 2024-0758-03 - An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0758.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:2.0 security updateAdvisory ID:        RHSA-2024:0758-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0758Issue date:         2024-02-09Revision:           03CVE Names:          CVE-2024-21626====================================================================Summary: An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* runc: file descriptor leak (CVE-2024-21626)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21626References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2024-001https://bugzilla.redhat.com/show_bug.cgi?id=2258725

Red Hat Security Advisory 2024-0758-03

“Had this all been contrived? Had his life become a game in which everyone knew the rules but him?” An exclusive excerpt from 2054: A Novel.

2054, Part V: From Tokyo With Love

Known for doing business with far-right extremist websites, Epik has been acquired by a company that specializes in helping businesses keep their operations secret.

A technology company that has been essential in keeping far-right and extremist websites online was acquired last year by a firm that operates an empire of shell companies across the United States, according to people familiar with the deal.

Epik.com has been for years the go-to domain registrar for websites that other companies refuse to do business with. Sites dedicated to white nationalism, QAnon conspiracy theories, and harassing transgender people were all welcomed by Epik. Now, it appears that Epik’s new owner may abandon the extremist fringe and shift its customer base toward companies seeking to operate in the shadows.

Rob Monster, a born-again Christian who founded Epik in 2009, had been key in keeping many of the most extreme websites online. He often went to great lengths to personally defend the sites and extolled the virtues of free speech. Epik was sold to new ownership last year after the company unraveled amid allegations of gross financial mismanagement.

An accounting firm hired by Epik to conduct a forensic investigation alleged that Monster had misappropriated more than $3.5 million, according to an internal preliminary report obtained by WIRED. More than $1.5 million was attributed to Monster personally withdrawing funds from the company. Nearly $2 million of Epik funds was used in Kingdom Ventures, Monsters’ venture capital firm, according to the report.

Monster didn’t respond to multiple requests for comment.

The buyer of Epik’s domain registrar business was a brand-new company that had been incorporated in Wyoming weeks before the sale was completed last summer: Epik LLC. The owner of Epik LLC, according to two people familiar with the deal, is Registered Agents Inc. The company confirmed its ownership in a press release late Friday night.

Registered Agents Inc. and its subsidiary companies claim to have offices in every state and Washington, DC. Its services allow companies to operate anonymously in a jurisdiction of its choosing. Registered Agents Inc. says it provides services to over 1 million companies.

The founder and owner of Registered Agents, according to two people familiar with the company, is a man named Dan Keen. In an email, a lawyer for Registered Agents Inc. says Keen is not the owner nor an employee of Registered Agents Inc. or Epik, and that he acted as a consultant in the acquisition.

Keen is intensely private, according to multiple people who have worked with him who requested anonymity to discuss details of the deal. “He has made it his mission in life to be invisible,” said one. “He’s someone who likes to operate in the shadows,” claims another. Keen is a serial entrepreneur who previously ran a lawn care and tree-trimming business, according to public records.

Keen has no website or social media pages. Emails sent by Keen don’t include a signature. Attempts to reach Keen for comment led to a reply from Bryce Myrvang, a lawyer for Registered Agents Inc.

Using a registered agent to incorporate a business allows the owner to shield who actually owns it. A registered agent will act as an official point of contact for a company, receiving legal notices and mail, and filing incorporation documents with the state. In Wyoming alone, Registered Agents Inc. represents around 50,000 companies, according to the Wyoming secretary of state.

For example, a company that uses Registered Agents Inc. to set up shop in Wyoming would have its address listed as 30 N. Gould Sreet, a squat one-story building in the town of Sheridan.

A local paper in Wyoming, _The Sheridan Press_, reported in August 2021 that scam business had been linked to the 30 N. Gould Street address, where more than 20 registered agent firms claim to have their offices. An editor's note added after publication stated, “It remains completely legal for registered agents to do what they’re doing under Wyoming Statute.”

A 2022 investigation by the International Consortium of Investigative Journalists found that “oligarchs, criminals and online scammers” have used registered agents to operate in the United States and shield their true identity.

Registered Agents Inc.’s acquisition of Epik allows the company to extend its offerings to the internet, providing its customers another layer of anonymity for their websites.

“This most recent acquisition provided an opportunity to expand our business offerings to include a business email address, a domain name, and open source website hosting at a reasonable cost,” Myrvang tells WIRED. “Registered Agents Inc. now has the capability to establish an entire business identity for its customers in less than 10 minutes.”

Clues about changes within Epik first emerged in January, when the company terminated its relationship with Kiwi Farms, a notorious trolling site whose users are dedicated to perpetuating never-ending drama and misery. In a series of bizarre and now deleted tweets, Epik claimed it suspended Kiwi Farms in response to a US court order and that the site hosted child sexual abuse material. In response, the Kiwi Farms administrator began crowdfunding money for a defamation lawsuit against Epik.

“You specialize in defamation, revenge porn, harassment, and hate speech and you want to sue us? We will expose all your and your users dirty secrets and they will be permanent public records,” the EpikLLC X account replied. “The judgment we will win against you will follow you the rest of your life.”

It was as if a new set of trolls with an entirely different worldview had taken over Epik.

“Alright all Whiny, Beta Snowflakes. Our DEI hires of the month canceled #Kiwifarms,” another post from EpikLLC read. “We don't like hate speech, porn, or doxxing. #JoeBiden will fix it! 2024!”

Some of the tweets trolling Epik were later deleted. “If such comments and or interactions on X were found to be offensive, Epik LLC formally apologizes to those individuals and or company,” Myrvang, the company's lawyer, says. “Further, the appropriate action has been taken internally in relation to the comments made on X.”

It’s unclear if Epik’s new owners singled out Kiwi Farms or if it has booted other sites from its service. “Epik.com’s Terms of Service has been updated to maintain compliance with all regulatory requirements,” Myrvang says.

When asked if the company has stopped working with other customers, Myrvang says, “Epik LLC will suspend and or terminate relationships with any company and or individual who violates its Terms of Services.”

In late 2022, Epik customers began reporting that they were suddenly unable to withdraw money from Masterbucks, Epik’s payment platform, which facilitated buying and selling pricey domain names. One customer, Luigi Marruso, posted on the domain name forum NamePros claiming that Epik was holding onto $1.5 million of its money. In an email to WIRED, Marruso says he still hasn’t been paid back.

Another customer, Matthew Adkisson, sued Epik and Monster, claiming they had mismanaged or embezzled $327,000 from him as he sought to purchase nourish.com. Epik later settled with Adkisson.

Claims like Adkisson’s began to pile up on forums for professionals in the domain name business (known as “domainers”), and Epik was in serious financial jeopardy.

Epik’s customers, fearing the worst, rushed to get their money back from the company. Epik even had outstanding debts with ICANN, the nonprofit that serves as a global administrator for the internet, according to legal filings.

“They were using customer funds to fund its operations. People started asking for those customer funds back, and they couldn't pay them,” says Andrew Allemann, a journalist who covered the fiasco for Domain Name Wire. “There was a run on the bank, and the money wasn’t there.”

In September 2022, a new CEO was installed at Epik in an attempt to stem the bleeding and settle the company’s debts. Epik, once valued by an investor at around $150 million was sold for around $5 million dollars in June 2023, according to a purchase agreement released as an exhibit in the Adkisson lawsuit. Much of the $5 million purchase price was allocated to paying off some of Epik’s debts. It’s unclear if the terms of the final deal match the one released as part of the lawsuit, but a source familiar with the acquisition says it was generally similar.

The rest of the debt was left with Monster. Just how much Monster owes former customers and vendors is unknown. Two former Epik customers told WIRED they’re still waiting to be paid back $38,000 and $20,000, respectively.

_Updated: 2/8/2024, 2:35 pm ET: Added additional comment from a Registered Agents Inc. spokesperson regarding Dan Keen's relationship with the company._

Epik, the Far-Right's Favorite Web Host, Has a Shadowy New Owner

Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.

Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

“The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

Most of my work is done on my laptop—and it's rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

The Password’s Long Goodbye

You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and Google, Microsoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

“They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.”

I Stopped Using Passwords. It's Great—and a Total Mess

“The people are in the streets. We can’t ignore them any longer. Really, we have little choice. Either we heal together, or we tear ourselves apart.” An exclusive excerpt from 2054: A Novel.

2054, Part IV: A Nation Divided

“You’d have an incomprehensible level of computational, predictive, analytic, and psychic skill. You’d have the mind of God.” An exclusive excerpt from 2054: A Novel.

2054, Part III: The Singularity

New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.

A frequent annoyance of contemporary life is having to shuffle through different messaging apps to reach the right person. Messenger, iMessage, WhatsApp, Signal—they all exist in their own silos of group chats and contacts. Soon, though, WhatsApp will do the previously unthinkable for its 2 billion users: allow people to message you from another app. At least, that's the plan.

For about the past two years, WhatsApp has been building a way for other messaging apps to plug themselves into its service and let people chat across apps—all without breaking the end-to-end encryption it uses to protect the privacy and security of people’s messages. The move is the first time the chat app has opened itself up this way, and it potentially offers greater competition.

It isn’t a shift entirely of WhatsApp’s own making. In September, European, lawmakers designated WhatsApp parent Meta as one of six influential “gatekeeer” companies under its sweeping Digital Markets Act, giving it six months to open its walled garden to others. With just a few weeks to go before that time is up, WhatsApp is detailing how its interoperability with other apps may work.

“There’s real tension between offering an easy way to offer this interoperability to third parties whilst at the same time preserving the WhatsApp privacy, security, and integrity bar,” says Dick Brouwer, an engineering director at WhatsApp who has worked on Meta rolling out encryption to its Messenger app. “I think we're pretty happy with where we’ve landed.”

Interoperability in both WhatsApp and Messenger—as dictated by Europe’s rules—will initially focus on text messaging, sending images, voice messages, videos, and files between two people. Calls and group chats will come years down the line. Europe’s rules apply only to messaging services, not traditional SMS messaging. “One of the core requirements here, and this is really important, is for users for this to be opt-in,” says Brouwer. “I can choose whether or not I want to participate in being open to exchanging messages with third parties. This is important, because it could be a big source of spam and scams.”

WhatsApp users who opt in will see messages from other apps in a separate section at the top of their inbox. This “third-party chats” inbox has previously been spotted in development versions of the app. “The early thinking here is to put a separate inbox, given that these networks are very different,” Brouwer says. “We cannot offer the same level of privacy and security,” he says. If WhatsApp were to add SMS, it would use a separate inbox as well, although there are no plans to add it, he says.

Overall, the idea behind interoperability is simple. You shouldn’t need to know what messaging app your friends or family use to get in touch with them, and you should be able to communicate from one app to another without having to download both. In an ideal interoperable world, you could, for example, use Apple’s iMessage to chat with someone on Telegram. However, for apps with millions or billions of users, making this a reality isn’t straightforward—encrypted messaging apps use their own configurations and different protocols and have different standards when it comes to privacy.

Despite WhatsApp working on its interoperability plan for more than a year, it will still take some time for third-party chats to hit people’s apps. Messaging companies that want to interoperate with WhatsApp or Messenger will need to sign an agreement with the company and follow its terms. The full details of the plan will be published in March, Brouwer says; under EU laws, the company will have several months to implement it.

Brouwer says Meta would prefer if other apps use the Signal encryption protocol, which its systems are based upon. Other than its namesake app and the Meta-owned messengers, the Signal Protocol is publicly disclosed as being used in Google Messages and Skype. To send messages, third-party apps will need to encrypt content using the Signal Protocol and then package it into message stanzas in the eXtensible Markup Language (XML). When receiving messages, apps will need to connect to WhatsApp’s servers.

“We think that the best way to deliver this approach is through a solution that is built on WhatsApp’s existing client-server architecture,” Brouwer says, adding it has been working with other companies on the plans. “This effectively means that the approach that we’re trying to take is for WhatsApp to document our client- server protocol and letting third-party clients connect directly to our infrastructure and exchange messages with WhatsApp clients.”

There is some flexibility to WhatsApp interoperability. Meta’s app will also allow other apps to use different encryption protocols if they can “demonstrate” they reach the security standards that WhatsApp outlines in its guidance. There will also be the option, Brouwer says, for third-party developers to add a proxy between their apps and WhatsApp’s server. This, he says, could give developers more “flexibility” and remove the need for them to use WhatsApp’s client-server protocols, but it also “increases the potential attack vectors.”

So far, it is unclear which companies, if any, are planning to connect their services to WhatsApp. WIRED asked 10 owners of messaging or chat services—including Google, Telegram, Viber, and Signal—whether they intend to look at interoperability or had worked with WhatsApp on its plans. The majority of companies didn’t respond to the request for comment. Those that did, Snap and Discord, said they had nothing to add. (The European Commission is investigating whether Apple’s iMessage meets the thresholds to offer interoperability with other apps itself. The company did not respond to a request for comment. It has also faced recent challenges in the US about the closed nature of iMessage.)

Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.

Meanwhile, Julia Weis, a spokesperson for the Swiss messaging app Threema, says that while WhatsApp did approach it to discuss its interoperability plans, the proposed system didn’t meet Threema’s security and privacy standards. “WhatsApp specifies all the protocols, and we’d have no way of knowing what actually happens with the user data that gets transferred to WhatsApp—after all, WhatsApp is closed source,” Weis says. (WhatsApp’s privacy policy states how it uses people’s data.)

When the EU first announced that messaging apps may have to work together in early 2022, many leading cryptographers opposed the idea, saying it adds complexity and potentially introduces more security and privacy risks. Carmela Troncoso, an associate professor at the Swiss university École Polytechnique Fédérale de Lausanne, who focuses on security and privacy engineering, says interoperability moves could potentially lead to different power relationships between companies, depending on how they are implemented.

“This move for interoperability will, on the one hand, open the market, but also maybe close the market in the sense that now the bigger players are going to have more decisional power,” Troncoso says. “Now, if the big player makes a move and you want to continue being interoperable with this big player, because your users are hooked up to this, you're going to have to follow.”

While the interoperability of encrypted messaging apps may be possible, there are some fundamental challenges about how the systems will work in the real world. How much of a problem spam and scamming will be across apps is largely unknown until people start using interoperable setups. There are also questions about how people will find each other across different apps. For instance, WhatsApp uses your phone number to interact and message other people, while Threema randomly generates eight-digit IDs for people’s accounts. Linking up with WhatsApp “could de-anonymize Threema users,” Weis, the Threema spokesperson says.

Meta’s Brouwer says the company is still working on the interoperability features and the level of support it will make available for companies wanting to integrate with it. “Nobody quite knows how this works,” Brouwer says. “We have no idea what the demand is.” However, he says, the decision was made to use WhatsApp’s existing architecture to run interoperability, as it means that it can more easily scale up the system for group chats in the future. It also reduces the potential for people’s data to be exposed to multiple servers, Brouwer says.

Ultimately, interoperability will evolve over time, and from Meta’s perspective, Brouwer says, it will be more challenging to add new features to it quickly. “We don't believe interop chats and WhatsApp chats can evolve at the same pace,” he says, claiming it is “harder to evolve an open network” compared to a closed one. “The second you do something different—than what we know works really well—you open up a wormhole of security, privacy issues, and complexity that is always going to be much bigger than you think it is.”

Tag

#sap