BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 10-15-2013, 08:13 AM   #1
ZombieBerry
BlackBerry Extraordinaire
 
ZombieBerry's Avatar
 
Join Date: Sep 2010
Location: Toronto
Model: Priv
OS: 5.1.1
PIN: 2AB9C463
Carrier: WIND
Posts: 2,365
Default Whatsapp Privacy Snafu

Please Login to Remove!

WhatsApp crypto snafu drops trou on users' privates

Mobile messaging service WhatsApp came for criticism over the robustness of its cryptography last week after a fix for a January security snafu was slammed for not being robust enough.

Back at the beginning of the year WhatsApp was investigated in Canada and the Netherlands for indefinitely retaining users' email address book data that it snaffled when they joined the service.

It was also criticised for generating cryptographic keys from data such as a mobile phone's IMEI (International Mobile Equipment Identity) number or their network MAC (Media Access Code) addresses.

The IMEI number is programmed into a mobile phone during the manufacturing process. Under certain circumstances it can be broadcast in clear text messages from a phone. They are a terrible choice for passwords because every network packet has the MAC address within it.

WhatsApp revised its encryption in the wake of these criticisms. However, a review of the fix by Dutch mathematics and computer science student Thijs Alkemade has revealed that WhatsApp's approach, while improved, remains deeply flawed.

WhatsApp generates a session key that it uses to initialise a stream cipher. But the same cipher stream is used for both outgoing and incoming messages.

This is a cryptographic mistake akin to using a one-time pad more than once, which creates serious security shortcomings in the system, as Sophos security researcher Paul Ducklin explains:

"A stream cipher works as a pseudorandom number generator, emitting an unpredictable string of bytes that you XOR with the plaintext to encrypt," Ducklin writes on Sophos' Naked Security blog. "In other words, you mustn't use the same string of bytes to encrypt anything else, because that would make it predictable, and that is a cryptographic disaster."

"A stream cipher works like a pseudo one time pad. A crypto-system that relies on a string of hardware random numbers to create an unbreakable cipher if – and only if – the pad is used just once," he added.

In addition, WhatsApp uses the cryptographically flawed RC4 cipher instead of more robust alternatives.

The upshot is that, as things stand at the time of writing, anyone capable of eavesdropping on your WhatsApp connection would also be able to decrypt messages with minimal difficulty.

Ducklin advises WhatsApp users only to use the service for messages they are happy to be considered public until a more robust encryption scheme is introduced.

Alkemade, the Dutch researcher who created a buzz in the security community by publicising the flaws last week, suggests that WhatsApp should use Transaction Layer Security, or TLS – the same end-to-end encryption used by secure websites.

Michael Sutton, director of security research at Zscaler, criticised WhatsApp for basic cryptographic mistakes.

"WhatsApp made a very basic error when implementing their message encryption by leveraging the same encryption key for both incoming and outgoing messages," Sutton said. "While compromise of the flaw is not simple, it is quite possible and as such, WhatsApp communication cannot be considered secure until this issue is addressed. It is not yet clear if the implementation flaw is uniform across all WhatsApp implementations but for now, all implementations should be considered insecure."

The Register forwarded these criticisms to WhatsApp last week, inviting it to comment. We are yet to hear back. So it's unclear whether or not WhatsApp acknowledges that there's a problem, much less how and when it might deliver a fix.

A successful social engineering attack last week against domain name firm Network Solutions, used by WhatsApp, meant that the messaging app was one of a number of firms to suffer a DNS hijack attack in turn. Surfers attempting to visit its site were redirected to a pro-Palestinian propaganda website instead.

While that particular problem was resolved within hours on Tuesday, the crypto problem may take a far greater effort to resolve.

Source: theguardian.co.uk
__________________
fere libenter homines id quod volunt credunt
Offline  
Old 10-19-2013, 11:25 PM   #2
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Paspt
OS: 10.3.0.90
PIN: X1ZPY34K
Carrier: VZW but not for long
Posts: 9,176
Default Re: Whatsapp Privacy Snafu

WhatsApp has had this issue, or similar issue with privacy for a long time.
WhatsApp privacy practices under scrutiny | Security & Privacy - CNET News

I posted this link here over a year ago iirc.
WhatsApp is broken, really broken | fileperms
__________________
Report spam text messages to 7726
#BlackBerry by choice
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads for: Whatsapp Privacy Snafu
Thread Thread Starter Forum Replies Last Post
whatsapp and the small blackberry clock Ntandosharon BlackBerry Help 6 07-25-2013 12:22 PM
whatsapp Ntandosharon Social Networking 1 07-20-2013 02:56 PM
WhatsApp violates privacy laws over phone numbers - Reuters daphne BlackBerry and Mobile Security 6 02-01-2013 12:59 PM
Whatsapp Duplicating Contacts akhilsood BlackBerry Help 1 07-22-2011 03:46 PM
Announcing WhatsApp for BB limited beta whatsapp Aftermarket Software 2 11-04-2009 09:59 AM


Tektronix TM506 Modular TM500 Test Measurement System 6-Slot Chassis Mainframe picture

Tektronix TM506 Modular TM500 Test Measurement System 6-Slot Chassis Mainframe

$99.00



Agilent E1301B Mainframe  9-slots with multimeter, totalizer, and relay muxes picture

Agilent E1301B Mainframe 9-slots with multimeter, totalizer, and relay muxes

$200.00



Riedel Artist 32 Modular Matrix Mainframe w 3 cards - Will sell Cards separately picture

Riedel Artist 32 Modular Matrix Mainframe w 3 cards - Will sell Cards separately

$14950.00



JDSU HST-3000C Mainframe, HST-3000 SIM CU Copper Testing Module picture

JDSU HST-3000C Mainframe, HST-3000 SIM CU Copper Testing Module

$359.10



USED PACIFIC INSTRUMENTS 8201 MAINFRAME AMPLIFIER picture

USED PACIFIC INSTRUMENTS 8201 MAINFRAME AMPLIFIER

$98.58



*JM* NEWPORT MODULAR CONTROLLER MAINFRAME MODEL 8000 W/ PROCESSOR MODULE  (FIY5) picture

*JM* NEWPORT MODULAR CONTROLLER MAINFRAME MODEL 8000 W/ PROCESSOR MODULE (FIY5)

$350.00







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.