A computer security expert has just discovered a serious flaw in WhatsApp’s crypto infrastructure, and has immediately set about warning users to stay away until the developers fix the problem.
Thijs Alkemade, a computer science researcher at Utrecht University, Netherlands, carried out an extensive research into encryption methodology used by WhatsApp, world’s most popular instant messaging and sharing service. In a blog post this Tuesday, Alkemade stated why the use of same encryption keys for both client and server would allow cryptographers to decipher WhatsApp-bound data.
Alkemade showed how the authentication process takes place at WhatApp, and how a data decryption attack works by passively observing an encrypted message passed between a phone and server. The first encryption loophole is the use of similar keys for all the incoming and the outgoing RC4 stream taking place between client and server. This makes it possible for a cryptographer to cancel the key stream out and get all data in plain-text. The second problem lies with the use of HMAC key for encryption. As Alkemade suggests, this key can only authenticate messages; it is not able to respond to specific messages dropped by an attacker, or when messages are swapped or returned to the sender. It is for this reason that security experts advocate the use of advanced cryptographic protocols such as TLS for optimal VoIP and communications security over the internet.
To further prove the threat, Alkemade cites a 2006 research paper by Mason et. al, that presents an account of how researchers deciphered encrypted data with 99% accuracy by closely analyzing how described encryption algorithms worked.
But WhatsApp developers and managers categorically mark this issue as being no more than a hoax. WhatsApp CEO, Jan Koum, is heard to have said that vulnerability reports like these are ‘sensationalized and overblown’. Responding further to the encryption issue, Jan Koum says that Alkemade’s fear of WhatsApp security is devoid of rationality and accuracy. The following user query on the WhatsApp helpdesk attests this, clarifying that all conversations on WhatsApp are 100% secure and encrypted.
What PureVPN has to say about this?
This is not the first of its kind flaw discovered in WhatApp, but it is definitely the most threatening, because it can virtually expose one’s identity and privacy to any creep, gang of cyber criminals, or secret hacking wings of foreign governments. At PureVPN, we know how data snoopers play with encryption, and we know that the RC4 methodology used by WhatsApp is outdated and prone to hack attacks and malware. To keep you safe from vulnerable servers and encryption methods used by this app, we recommend the use of a VPN.
A VPN routes your data through remote servers using sophisticated data encryption methods and data tunneling protocols, so that no data sniffer (even supercomputers!) can ever decipher any of your WhatsApp activity. Secure your smartphone, and your privacy, by having a good Android VPN or an iOS VPN installed.