Encryption flaw in WhatsApp could allow attackers to decrypt messages
A major design flaw in the cryptographic implementation of the popular WhatsApp chat application could let attackers decrypt messages--should they succeed in intercepting them. The vulnerability was discovered by Thijs Alkemade, a student at Utrecht University in the Netherlands and also the lead developer of the open source Adium chat client for Apple's OS X operating system.
The crux of the matter revolves around how the same RC4 encryption key is used to encrypt both incoming and outgoing data between a WhatsApp client and the server. "RC4 is a PRNG that generates a stream of bytes, which are xored with the plaintext that is to be encrypted," writes Alkemade. "By xoring the ciphertext with the same stream, the plaintext is recovered."
Alkemade told Computerworld that he has not contacted WhatsApp before publicly disclosing the issue. "I thought that it's important for people to know that WhatsApp is not secure and I didn't expect them to fix it rapidly," he explained. In the meantime, Alkemade has posted a proof of concept based on WhatsPoke, which is an open source WhatsApp desktop client and API built by reverse engineering the WhatsApp protocol.
The Fierce Take: This is hardly the first time in which an implementation mistake culminates in weakened encryption. Earlier this year, Cisco admitted that an encryption algorithm used to encrypt passwords on recent versions of the Cisco IOS operating system is actually weaker than the one it was designed to replace. While cryptographic features are typically encapsulated in libraries and are easily accessed by their APIs, enterprises that make the effort to properly train their programmers in the proper use of cryptographic techniques can go a long way towards eliminating such unnecessary flaws.
- check out this article at xnyhps' blog
- check out this article at Computerworld
'Implementation mistake' weakens encryption in newer Cisco IOS
Cisco exec predicts 50 billion connected devices by 2020