What's Up with WhatsApp? A Gaping Security Hole

WhatsApp is feeling down.

The multi-platform instant-messaging app for smartphones isn't as secure as it's supposed to be, according to an analysis published by a Dutch computer-science student.

WhatsApp uses a stream cipher, a sort of random number generator, to generate a long, random key with which to encrypt a conversation.

The problem is that WhatsApp uses the same key for all incoming and outgoing messages in a single conversation.

MORE: How to Use WhatsApp Messenger

So if snoops were able to capture the encrypted data from that conversation, they could just compare the incoming and outgoing messages, and as long as they knew (or could guess) some part of one of the messages, they could cancel out the mathematical similarities — i.e. the encryption key— between the two.

That would give them the unencrypted text of both sides of the conversation.

This technique works because stream ciphers are all about random numbers — and if you use the same number more than once, it's no longer random.

Instead, the number becomes a pattern, and relatively basic math will find the pattern and crack WhatsApp's encryption implementation wide open.

The vulnerability was discovered by Thijs Alkemade, a graduate student in mathematics and computer science at Utrecht University in the Netherlands, who wrote up his analysis on his blog.

WhatsApp disputed Alkemade's findings.

"Stating that all conversations should be considered compromised is inaccurate," wrote WhatsApp's CEO, Jan Koum, in an email to the tech blog Ars Technica. "Basically, this is sensationalized and overblown. Please report responsibly and do research that goes beyond Twitter-sphere. We have a company to run."

Others disagree with Koum's assessment. Several security experts unaffiliated with Alkemade have reviewed the student's work and found it to be credible.

According to Thomas Ptacek of Chicago-based Matasano Security, the same bug occurred in an algorithm called the Point to Point Tunneling Protocol, which was developed by Microsoft in the 1990s.

"It's an extremely bad flaw that lots of people know how to exploit," Ptacek tweeted.

Alkemade suggested in his analysis that WhatsApp could easily fix the problem by switching to a security protocol called Transport Layer Security, a tried-and-true method of encrypting information in transit that is used on much of the Internet.

As Naked Security blogger Paul Ducklin put it, "Why reinvent a square wheel when there's a well-known and well-studied round one you can roll out instead?"

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • monsta
    Whats app used to be cool before it got spammed by supermarkets here, you write to the Whatsapp support team about it and all you get is a stupid auto generated message telling you how to install it. Their support lacks any human factor and is useless.
    I've deleted it now, and no longer use it due to the amount of spam and lack of customer support.
  • amk-aka-Phantom
    WhatsApp is garbage for people who still are not aware of Google Talk/Hangouts and Skype.
  • dark_knight33
    Haha... She said gaping.

    OK, serious face now.

    What makes you think Instant messaging on *any* platform is safe? If the NSA or anyone else wants to spy on my wife bitching about her co-workers, or me making inappropriate propositions to her while she's at work, I'm not gonna worry about it. What's app never gave me any confidence it was some how less *gaping* (haha) than Verizon.