Thijs Alkemade, a Dutch developer, has discovered a security hole in popular messaging platform WhatsApp.
In his blog, Alkemade said WhatsApp uses the same key to encrypt both outgoing and incoming messages in a conversation.
He said this could be exploited, and users should assume that anyone who is able to eavesdrop on their WhatsApp connection is capable of decrypting their messages, with enough effort. "You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this, except to stop using it until the developers can update it," he added.
How he did it
Alkemade described how he did it in some detail in his blog. WhatsApp uses RC4 - a pseudo-random number generator - that generates a stream of bytes, which are xored (a crypto operation that preserves randomness) with the plaintext that is to be encrypted. However, using the same number more than once makes it no longer random.
Alkemade explained that should two messages be encrypted with the same key, and be intercepted by a cyber criminal, they could just compare the incoming and outgoing messages. If they could figure out part of one of the messages, it would be possible to cancel out the similarities between the two messages, effectively giving them the unencrypted text.
WhatsApp rubbished these claims, but said it appreciated the concerns being raised.
In a mail to PC World, it said: "WhatsApp takes security seriously and is continually thinking of ways to improve our product. While we appreciate feedback, we're concerned that the blogger's story describes a scenario that is more theoretical in nature. Also, stating that all conversations should be considered compromised is inaccurate."
How bad is it?
Ian Farquhar, a security researcher, said assuming Alkemade's reverse engineering is correct, it would appear the authors of the app clearly did not understand cryptography, and have implemented a poor solution.
"To reuse RC4 keys shows a complete misunderstanding of the algorithm, which itself is frankly something I would not be using anyway. RC4 is widely deprecated, and there are better alternatives."
He would call this protection at best to be obfuscated rather than encrypted, added Farquhar.
On the other hand, Farquhar said it is still an attack which requires some skill to surmount, so the situation is "hardly devastating" either.
"So yes, it's bad," he stated. "But if you applied this level of analysis to every application which uses crypto and doesn't use standard and well-studied cryptographic protocols, I'd be surprised if you didn't find equally poor design in many. Maybe even the majority."
Doing crypto securely is hard, concluded Farquhar. "Small mistakes can cause big issues. This is a classic example of that."
Share
