A bit back WhatsApp was take to task for using your IMEI as your password allowing for anyone who can eavesdrop on your conversation (public Wi-Fi?) read everything you send. They fixed that and now it seems like they have walked into another predictable issue using RC4 encryption with the same keys in both directions. I have always assumed that WhatsApp was pretty insecure but now Thijsalkema has proven that WhatsApp is guilty of two big encryption mistakes. Mainly they use the same RC4 stream cipher in both directions and the same HMAC key. He also details a proof of concept of the vulnerability on Android and S60. He goes on to conclude that:
You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it.
There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a
xorcorrectly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS.
Adam over @CrackBerry was kind enough to reach out to BlackBerry’s head of BBM, Andrew Bocking, who had this to say:
I can’t really speak to all of the technical aspects of the WhatsApp system. However people can rest assured that BBM remains a trusted private social network. Where other services may be vulnerable to unwanted snooping or eavesdropping, BBM increasingly uses standard TLS deployment to remove that vulnerability from our service. TLS is a well-known, well-studied protocol. To put it in every day context, this is the same technology used for internet banking.
That just goes to show that Andrew needs to really iron out those bugs in cross platform BBM that botched the launch. We all know by now that cross platform BBM was not ready when they tried launching it before but it looks like we may see it soon.