A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day.
WhatsApp developers say messages are “fully encrypted,” and company CEO Jan Koum told Ars that Tuesday’s vulnerability report is “sensationalized and overblown.” But a computer science student at Utrecht University in the Netherlands—and several cryptographers who have reviewed his work—said the app appears to contain long-documented weaknesses, including the use of the same encryption key on both sides of a conversation. As a result, they said, it’s not hard for cryptographers to decrypt WhatsApp messages that travel over Wi-Fi networks or other channels that can be monitored.
“You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort,” Utrecht computer science and mathematics student Thijs Alkemade wrote in a blog post published Tuesday. “You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this… except to stop using it until the developers can update it.”
Alkemade posted this follow-up that documents the vulnerable crypto scheme in the Android version of WhatsApp. He said he suspects that other versions of the app behave similarly. Several cryptographers with no ties to Alkemade who have reviewed the posts said the findings are serious.
“It’s an extremely bad flaw that lots of people know how to exploit,” Thomas Ptacek, a recognized security consultant and cryptographer, wrote in a discussion on Twitter. “The attacker does not need to be in the middle or to have any influence over the messages.” Most recently, Ptacek was one of the researchers behind a heavily attended talk at the Blackhat security conference imploring cryptographers to transition to newer forms of encryption.
For their part, however, WhatsApp officials downplayed Alkemade’s assessment.
“WhatsApp takes security seriously and is continually thinking of ways to improve our product,” company CEO Koum wrote in an e-mail to Ars. “While we appreciate feedback, we’re concerned that the blogger’s story describes a scenario that is more theoretical in nature. Stating that all conversations should be considered compromised is inaccurate. Basically, this is sensationalized and overblown. Please report responsibly and do research that goes beyond twitter-sphere. We have a company to run. Back to work.”
Alkemade said cryptographers have already devised attacks that exploit the type of mistakes made in the WhatsApp apps. He cited this research paper from 2006, which made it possible to decrypt short messages in seconds with 99-percent accuracy when researchers could predict small parts of the plaintext hidden inside the encrypted payload. The technique works by analyzing “example data” so that messages can be predicted accurately. The analysis took several hours but only needed to be performed once.
“The described algorithm probably took days, if not weeks, to implement, Alkemade wrote in an e-mail. “But the implementation they’ve written should be general enough to work for WhatsApp messages, too.”
What’s more, instant messages usually contain hidden headers and greetings such as “Sup?” or emoticons such as “;-)”. That means much of the plain-text included in most WhatsApp messages may already be known or easily guessed.
The attack works by passively observing an encrypted message passed between a phone and server. The adversary then collects later messages and combines them using the exclusive or (xor) mathematical operation. The result: much of the plaintext can be plucked out of the encrypted streams. Similar attacks were developed in the 1990s to defeat the Microsoft-developed Point to Point Tunneling Protocol, which remains widely used in many products despite the availability of off-the-shelf exploits. WhatsApp appears to be making a similarly critical mistake by repeating the same key passing two or more messages through the same RC4 cryptographic algorithm, Matt Green, a professor specializing in cryptography at Johns Hopkins University, told Ars.
“It’s a well-known problem if you use the same key to encrypt two different messages—that means if you generate the same RC4 bits, and you’re xor’ing them with two different messages,” he said, “then the attack that you can run is you can just take both of the resulting cipher texts, and you can xor them together, and… all the RC4 bits vaporize. They cancel out, and they leave you with the xor of the two different messages that you encrypted.”