WhatsApp Users ‘Should Not Trust Broken Encryption’

WhatsApp encryption does not work in a secure way and users should consider all their previous communications compromised, a European researcher has claimed.

One problem uncovered by Thijs Alkemade, a computer science student at Utrecht University, was that the massively popular communications app was using the same RC4 encryption key in both directions.

Because of the way RC4 works, this would allow an attacker to look at how the XOR operation used by the standard is working in both ways, in order to reveal bits of the plain text.

WhatsApp encryption flaws

In encryption, XOR works by applying a string of bytes to the binary digits that need to be protected. Where two bits are the same a 0 is produced; where one is different to the other, a positive 1 is produced. The resulting string is thus encoded. Applying the XOR to that resulting string then decodes it.

In the case of WhatsApp, an attacker could get hold of two messages using the same RC4 key and figure out how the encryption is working to crack it, according to the researcher.

“As WhatsApp uses the same key for the incoming and the outgoing RC4 stream, we know that ciphertext byte i on the incoming stream XORed with ciphertext byte i on the outgoing stream will be equal to XORing plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By XORing this with either of the plaintext bytes, we can uncover the other byte,” Alkemade said.

He found further problems in the authentication of WhatsApp messages, surrounding the use of MACs.

“A MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender,” Alkemade added

“TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC.”

Whilst he was unsure whether that could be exploited, Alkemade claimed anyone who can intercept WhatsApp messages could decrypt them “given enough effort”.

WhatsApp had not responded to a request for comment.

This isn’t the first time users have poked holes in WhatsApp security. Security researcher Troy Hunt uncovered some SSL encryption weaknesses in the payment processing of the application, which could have exposed users’ details.

“Anyone using WhatsApp for sensitive communications probably needs their head examined. It’s hardly had a spotless record when it comes to security,” security expert Graham Cluley told TechWeekEurope.

Earlier this week, WhatsApp had its homepage defaced by pro-Palestinian attackers.

Are you a pedant on privacy? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

11 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

13 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

14 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

15 hours ago