Well, that’s disappointing

WhatsApp3I saw this reputable hacker’s blog entry about the latest in governments joining the hacking game to perform massive scale eavesdropping on our private communications. In this case they’re getting Telcos to exploit loopholes in WhatsApp and Viber mobile chat apps; apps which employee encryption for the sole purpose of securing against this type of thing.

Fundamentally, SSL is considered secure, and most software using it has a very good track record for maintaining privacy against eavesdropping at all times. However, even the best locks are ineffective if you leave the key in the gate.

The following is purely speculative on the weakness in WhatsApp. I have not investigated it, I’ve used WhatsApp as an example to demonstrate the principle of this oversight. There are other possible gaps that could be left in WhatsApp’s implementation which may not be as glaringly obvious as this, but WhatsApp Inc. have refused to confirm otherwise.

The two purposes of SSL are 1) to provide end-to-end encryption and 2) to validate the authenticity of the other end, since there’s no point encrypting if the wrong person is receiving it.

By accepting any SSL certificate the other side gives, some software ignores the second purpose, which actually undermines the first. There’s information in each certificate which says who issued it and where it’s allowed to be used. This information itself is certified as trustworthy through a local database of cryptographically validated signatories. Thereby it’s very easy for software to not only check this information matches expectations, but to also validate its trustworthiness. In fact, there are software modules which developers can plug in so they don’t even need to worry about the details of how it’s done.

Ignoring the validation part leaves the door wide open for Telcos to intercept connections and issue their own certificate.

You’re looking for who? the WhatsApp server? Oh I mean *ahem* sure…. that’s me! Here, have a lolly. It’s not at all poisoned, honest.

The WhatsApp mobile app (allegedly) accepts this, and now encrypts for the Telco instead of for WhatsApp’s servers. Now the Telco gets total visibility of the conversations and is able to archive them indefinitely to retrospectively review should the government become interested in an individual at a later date, as well as to rate conversations in real-time based on undesirable words and flag them for manual review by intelligence agencies. After abusing your privacy, the Telco can send your message on to the WhatsApp server like nothing ever happened.

Besides the unethical acts of a) Modifying customers traffic to fraudulently impersonate WhatsApp’s servers, b) Eavesdropping on peoples private conversations without their knowledge or consent, c) This often being in breach of local laws and constitutional rights, this situation is of course, wide open to abuse and corruption from oppressive political agendas.

The good news is insecure software can plug such gaps fairly quickly to ensure your right to privacy.

Except when they simply don’t care.

As a concerned customer, I contacted WhatsApp to bring this to their attention in the hope of a fix. While I got a very speedy response, they demonstrated an appalling level of apathy which flies in the face of the message they flaunt concerning the privacy and sacredness of our personal communication, as well as the assurances they give about security. Here’s the communication:


I recently read this article on Ars Technica which mentions a Telco performing man-in-the-middle eavesdropping on WhatsApp.


From your FAQ item on security I was lead to believe this should not be possible

As a paying user (several times over) I am concerned for my privacy, particularly when visiting less liberal countries like the one in the article. I would like to see this weakness publicly acknowledged with a plan to track down and fix it. This would restore users confidence in your product. I am a big advocate of WhatsApp, and imho any security improvements you make could be seen as a PR opportunity, particularly if it’s as simple to fix as the “promoted comment” speculates.


The information in the blog post is unverified and unconfirmed. Until we are presented with evidence and data, we will treat the information as false


It would be in your best interest to be proactive about these matters. I would like to have some confidence that WhatsApp cares about security. Aren’t you even going to check if your software performs certificate validation?


(no response)

Me (a few days later):

Can you please confirm whether the WhatsApp client checks the certificate belongs to the WhatsApp server and is signed by a trusted certificate authority?


(no response)

And there you have it. I’ve come to expect a higher standard from companies who deal with our private communications. I’d at least expect some superficial level of concern in the interests of protecting their reputation and profits! Whether their software is secure or not, I certainly can’t in good conscience continue to recommend a company who acts with such nonchalance when their customers raise serious concerns.

UPDATE: I wrote this before the Snowden / NSA leaks. It seems all the discussion is focused on begging the powers that be to change. I say let’s just remove their power by implementing strong encryption by default in all network applications.

UPDATE 2: Crypto vulnerabilities exposed, WhatsApp Inc. still in denial, does not promise to fix.

About these ads

About xlynx

Sometimes I like to meow at inanimate objects.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 104 other followers

%d bloggers like this: