John McAfee, noted liar and one-time creator of anti-virus software, apparently tried to convince reporters that he hacked the encryption used on WhatsApp. To do this, he attempted to send them phones with preinstalled malware and then convince them he was reading their encrypted conversations.
In April, WhatsApp announced that it had added automatic end-to-end encryption for its billion plus users. The company touted the move as one that would help protect and secure the communications of all WhatsApp users around the world.
McAfee has a history of being shifty with the press about his alleged cybersecurity exploits. In March, for instance, during a media tour that included appearances on CNN and RT, McAfee claimed he would be able to hack into the phone of San Bernadino terrorist Syed Farook. McAfee never proved his claims, and later admitted that he was lying in order to garner a “shitload of public attention.”
Now, it seems McAfee has tried to trick reporters again, by sending them phones pre-cooked with malware containing a keylogger, and convincing them he somehow cracked the encryption on WhatsApp. According to cybersecurity expert Dan Guido, who was contacted by a reporter trying to verify McAfee’s claims, McAfee planned to send this reporter two Samsung phones in sealed boxes. Then, experts working for McAfee would take the phones out of the boxes in front of the reporters and McAfee would read the messages being sent on WhatsApp over a Skype call.
According to sources who spoke to Gizmodo anonymously because they were not authorised by their employer to speak to the press, McAfee offered this story to at least the International Business Times and Russia Today. One additional source said he also shopped the story to Business Insider.
“[John McAfee was offering to a different couple of news organisations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones,” Guido said. “I advised the reporter to go out and buy their own phones, because even though they come in a box it’s very easy to get some [cling film] and a hair dryer to rebox them.”
Earlier today, an article titled “WhatsApp Message Hacked By John McAfee And Crew”appeared on the website for Cybersecurity Ventures, a research firm that purports to specialise in the cybersecurity industry. In it, McAfee blamed Google and not WhatsApp for the exploit in the phone, but the article’s headline claims that McAfee hacked WhatsApp. McAfee never actually claims to have hacked WhatsApp in the article, but says he found a serious flaw in the Android design.
It seems that McAfee tried to peddle a lie to multiple reporters—that he had hacked the encryption on WhatsApp—but then changed his story when reporters expressed concerns about their ability to verify this supposed hack.
Moxie Marlinspike, who developed the encryption protocol used in WhatsApp and assisted in implementing it, told Gizmodo that McAfee also admitted his plan to him. “Some reporters that had been contacted by McAfee about a demo [...] got in touch with me,” Marlinspike told Gizmodo. “I talked to McAfee on the phone, he reluctantly told me that it was a malware thing with pre-cooked phones, and all the outlets he’d contacted decided not to cover it after he gave them details about how it’d work.”
Here is a statement sent to Gizmodo by John McAfee in full. The “article” in question is the piece in Cybersecurity Ventures:
Here is my formal response - written:
I, perhaps wrongly, assume that people actually read articles that interest them rather than just headlines. If you actually READ the article, which you apparently did not, I made it absolutely CLEAR that was was NOT a WhatsApp issue. It was a Google issue. You slam me for tweeting an article, who’s headline you do not like. Surely, the article is what is important, not the headline. If I am wrong, them we as a society, are fucked Please quote me word for word if you have the fucking balls. Which, I know in advance, you do not.
Of course the phones had malware on them. How that malware got there is the story, which we will release after speaking with Google. It involves a serious flaw in the Android architecture.