Researchers Able To Intercept Unencrypted Viber Data
A lack of encryption puts Viber images, videos and location data at risk, warns University of New Haven
Researchers at the University of New Haven have exposed a number of security flaws in popular mobile VoIP and instant messaging application Viber that could allow an attacker to obtain images, videos and location data.
The university’s Cyber Forensics Research and Education says such information is stored in an unencrypted format on Viber’s Amazon servers, is not deleted immediately and can be easily accessed without any authentication mechanism.
“Anyone, including the service providers, will be able to collect this information – and anyone that sets up a rogue access point, or any man-in-the middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone,” the researchers warned.
Viber vulnerability
To test their theory, the group conducted an experiment. They set up a rogue access point using the Windows 7 Wi-Fi miniport adapter feature and were able to capture information sent between two smartphones using tools such as NetworkMiner, Wireshark, and NetWitness.
The researchers say they sent information about the flaw to Viber, but received no response, which is why they have released their findings to the public. It has called on the service to make sure data is encrypted when it is being sent and saved and to require authentication when it is being accessed to prevent more sinister groups from exploiting the vulnerability.
The discovery is a blow for Viber, which was recently acquired by Japanese e-commerce firm Rakuten, and is hoping to better compete with rivals such as WhatsApp and Skype. Earlier this week it launched a refreshed version of its iOS application and released a client for BlackBerry 10.
It’s not the first security scare to affect the service, after the Syrian Electronic Army (SEA) hacked Viber’s support page, with user data, including the IP address, country and device type, compromised although the company insisted that sensitive user data was not taken.
What do you know about the smartphones of 2013? Take our quiz!