Bahrain Watch understands that the Zello Walkie Talkie mobile app is widely used by youth activists in Bahrain. The app allows users to create groups (called channels), and then exchange audio messages from the group.
We are greatly concerned by reports that 15 individuals who were members of three different Zello channels were arrested on 3 September 2014, and have disappeared according to their lawyers. We understand that the arrests were conducted by police who lured the activists to a fake meeting, which some suspect may have occurred through traditional methods of infiltration or by posting voice messages to the channel through a compromised member. After the arrests, police posted messages to the channels warning that they were coming to get the activists “one by one.”
In response to this incident, Bahrain Watch decided to investigate the security of the Zello app. We used Wireshark to examine the information sent and received by the Zello app over the Internet.
The Bahrain Watch investigation has found that:
- Security flaws in the Zello app can easily reveal users phone number, name and location.
- The Ministry of Interior possesses the capability of intercepting and storing information for specific users of the Zello app.
- It is almost impossible to guard against the security flaws of Zello even using a VPN.
- WhatsApp using an anonymous phone number and a VPN is a better solution, but will not be practical for users who rely on Zello’s feature of automatically playing incoming messages through the phone speaker.
We urge activists to stop using the app for exchanging secret information or joining secret groups.
First, we signed up for a new account, called anon-activist. Below, on the left we show a screenshot of the signup screen, and on the right, a screenshot of the information sent and received over the internet when we signed up for the account.
As shown in the screenshot, the username, phone number, and e-mail address are sent without encryption over the Internet. Since the information is not encrypted, it can be intercepted and stored by the Ministry of Interior, along with the IP address of the person signing up.
If the user is signing up using their home connection or 3G connection, and not using a VPN, then the Ministry of Interior can get their real name and address from their IP address, and associate their real name with their e-mail, phone number, and Zello username. It is important to note that Zello automatically fills in the e-mail address and phone number using correct information from the phone. The user can manually change this, but we suspect it is unlikely that many users do change this during signup.
Next, we tried to create a channel using Zello. We created a channel called anon-group, with password “yasqothamad.” We noticed that the following information was sent and received from the Internet, without encryption:
Notice that the channel name anon-group, and the hash of the password, are transmitted. This can allow the Ministry of Interior to see which user creates which channels. The password hash is an MD5 of the password:
$ printf '%s' "yasqothamad" | md5sum f2186b70454b7623d1dbe2cc05ed01de -
This could allow the Ministry of Interior to discover the passwords for password-protected channels. Police could join a channel if they figure out the password.
One of the biggest concerns about Zello is that the membership of a channel is leaked by all users in the group. As shown in the screenshot below, all members of the group anon-group are transmitted unencrypted.
The complete member list is not only leaked by the creator of the group, but is leaked continuously by all users of the group.
Whenever a user sends a voice message to another user or channel, or a group, the metadata is sent unencrypted. Thus, the Ministry of Interior can know which users are messaging which users or channels, and at which dates and times.
The screenshot above shows part of the information transmitted when anon-activist sends a voice message to anon-group. We did not check to see whether the voice message itself is encrypted or not.
The Ministry of Interior can intercept and store information from Zello for specific people or villages, or for every person inside Bahrain. However, Bahrain Watch cannot confirm whether the Ministry is doing this. Nevertheless, we advise activists to stop relying on this insecure app.
Because Zello transmits this private information constantly, using a VPN is not a good solution. It cannot be guaranteed that a VPN will always be connected. However, if even one of the people in a Zello channel is briefly disconnected from the VPN, then private information about everyone in the channel can be leaked.
WhatsApp is a better solution, because it seems to encrypt information about who you talk to, which groups you join, and which users are in which groups. However, WhatsApp has the disadvantage that it is based on phone numbers. If the phone of someone in a group is seized, police can see the phone numbers of everyone else in the group, and identify them through the phone numbers. Registering an anonymous phone number is not a bulletproof solution for WhatsApp. This is because WhatsApp will transmit the anonymous phone number unencrypted over the Internet, and this can be intercepted by the Ministry of Interior and associated with your IP address, and your real name. However, using a VPN together with an anonymous phone number can improve security, by reducing the chance for the Ministry to associate your anonymous phone number with your real identity.