WhatsApp encryption flaw revealed, POC code published
A Dutch researcher says that the encryption solution implemented by popular cross-platform IM service WhatsApp is flawed. He claims that the company has not thought it out as well as they should have and that users should be aware that their WhatsApp messages could be easily decrypted by attackers.
WhatsApp has had its fair share of privacy security issues, and the company has implemented message encryption in August 2012, but has not specified what cryptographic method is used.
Now, thanks to Thijs Alkemade, a Computer Science and Mathematics student at Utrecht University and Lead Developer for Adium, an open source IM client for Mac OS X, we know that not only does WhatsApp use the same (RC4) encryption key for the messages in both directions, but also the same HMAC key to authenticate messages.
“But a MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender,” he points out. TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC.”
To prove his point, he also created a Python script which can intercept messages to WhatsApp and which tries to decrypt the incoming messages by guessing all outgoing messages.
When challenged to reproduce the results with the official WhatsApp client, he continued with the research and demonstrated that official Android and Nokia S60 clients are both vulnerable.
“You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised,” he concluded, adding that WhatsApp users can’t do nothing to protect themselves – except to stop using the app until it can be updated to remove the flaws.
Apparently, the solution is easy: the developers should consider using a “solution that has been reviewed, updated and fixed for more than 15 years, like TLS.”