
Piercing Through WhatsApp’s Encryption - xnyhps
https://blog.thijsalkema.de/blog/2013/10/08/piercing-through-whatsapp-s-encryption/
======
tptacek
A lot of cryptographic mistakes people make, you can blame on the 1990s. For
instance, the ubiquitous CBC padding oracle (most recently of TLS "Lucky 13"
fame) is the product of MAC-then-encrypt constructions, where attackers are
given the privilege of manipulating ciphertext without having it checked by a
MAC. We didn't have a mathematical proof to tell us not to do mac-then-encrypt
until _after_ the 1990s. So if you have that bug, you might consider blaming
the 1990s.

But using the same RC4 key in both directions of an encrypted transport isn't
just a bug known in the 1990s; it is the emblematic cryptographic attack of
the 1990s, the one crypto flaw that even non-crypto pentesters could reliably
deploy. For instance, bidirectionally shared RC4 keys broke the Microsoft VPN
scheme, a bug discovered by Peter "Mudge" Zatko when there was still a L0pht
Heavy Industries.

So my point is, this is a bit sad.

I should add, recycling the keystream of a stream cipher is worse than he
makes it sound. The attack he's describing is called "crib dragging" and
implies that an attacker has access to plaintext. But attackers don't need
access to plaintext to attack repeated-key XOR, which is what a set of
ciphertexts encrypted under the same stream cipher keystream works out to be.

~~~
dmix
A good question is how the engineer implemented a half-baked crypto system
with 1990s style flaws in the first place. Considering the startup is
relatively well funded.

Ignorance? Lack of research? Lack of industry best standards?

This seems to keep happening all the time.

Although most programming in general is full of hackery and rookie code used
in production. So that itself isn't alarming. I'm just curious if it's the
security industry itself is particularly in need of better communication of
best practices and things to avoid.

Maybe more work with designers/writers to create online guides is needed.

~~~
mahyarm
From my experience, it's because security is a half baked priority #50 usually
at startups. A sum total of a week was probably spent by some back-end
engineer 2 years ago on message security since it's not a selling point.

They probably record every single message too since storage without
transmission is cheap and avoids a class of bugs with deletion. The stored
histories could become a business advantage later to mine chat histories for
marketing and advertising data like facebook, twitter, google and everyone
else. They say they charge now to avoid a marketing driven approach, but cable
TV has made similar promises in it's starting days too.

Also they run on such platforms as blackberry, nokia s40 devices, windows
phone and symbian where plopping in some C crypto library probably wasn't
practical. From what I know, most crypto libaries are written in some C family
language or you have bouncycastle for java. Everything else is relatively
obscure or broken. So something they could roll by themselves might of been
what they have to choose from.

For many companies, security is something you do the motions for like you
would with government paperwork and compliance, not necessarily because it's
important to you. Unfortunately the average person only cares about door lock
security, not real crypto secured products.

~~~
martinraag
WhatsApp is over 4 years old with over 300 million (claimed) active users. I
would expect them to have addressed security by this point. Especially after
their previous blunders, I'd imagine hiring a security expert or having a
third party audit their code being on the top of their list. Apparently not.

I think these news and concerns often don't make their way to a bulk of their
users, who probably aren't very tech savvy. If they don't see any user
defection as a result of these issues being uncovered, then I'm not surprised
about their lax stance on security.

~~~
mahyarm
I think companies start addressing things like security more seriously when
they start becoming 'comfortable' companies. Which means securely profitable.
Security is higher on the pavlov pyramid of software company needs than 'is a
viable business'. I doubt WhatsApp is securely profitable, or flip a switch
profitable like amazon.com.

When you are not viable as a business new features or begrudgingly addressing
the huge amount of technical debt you generated in your early days so you can
deliver new features faster is what you focus on. WhatsApp will only address
security when it threatens the viability of their business, which by that time
will probably be too late.

------
PakG1
Here's what I'm sad about. Does every single web and mobile app that gets made
by anyone these days now require an extensive knowledge of how to do security
right? If so, that sucks, given how big the field is. Or do we all need to go
and hire tptacek for a quarterly security audit? I imagine that can get quite
expensive. It really gets in the way of just making things and putting them
up; I think kind of kills the spirit of creation and entrepreneurship. :( I
mean, it's great for people who are truly interested in security, but what if
you're not? Are you doomed to fail at the startup game if you don't know
security well?

~~~
sthatipamala
I've been told to just use NaCl
([http://nacl.cr.yp.to/](http://nacl.cr.yp.to/)) and its related libraries in
other languages. Apparently it "just works" for most basic crypto.

What's harder is systems security, which you can't just abstract away into a
library.

~~~
riquito
Does NaCL automagically solves the problem of streaming encrypted data? I
don't think so. You still have to know quite a lot to not mess up.

~~~
tptacek
Yes, NaCl automagically solves this problem. No, you don't have to know
anything not to mess NaCl up. That is the premise of the library.

------
chmars
In other news, WhatApp's website got hacked, well, defaced this morning:

Screenshot: [http://i.imgur.com/wY2zDl7.jpg](http://i.imgur.com/wY2zDl7.jpg)

Source (German): [http://stadt-bremerhaven.de/server-von-whatsapp-
gehackt/](http://stadt-bremerhaven.de/server-von-whatsapp-gehackt/)

~~~
sdoering
Well the update says it were the DNS-Servers, that got "hacked" not the
WhatsApp-Servers. Not that this makes me like this thing any better, but I
thought the correct info should be put into the discussion. ;-)

~~~
chmars
I wasn't aware of this important difference, thank you!

------
nasalgoat
I'm surprised they'd make such a rookie mistake when there are hundreds of
good encryption methods online to crib from, just a Google search away.

~~~
dobbsbob
Or spend the money to hire somebody who knows what they are doing. Whatsapp
has 300 million monthly users and charges $0.99 per year I'm sure they can
afford somebody.

~~~
Al-Khwarizmi
We are talking about a company that makes a crappy product with obvious and
blatant limitations (such as not being able to use the same account in
different devices, or with different SIMs, or on an iPad, let alone on a PC...
and if you have a bad connection messages can arrive out of order - is it so
hard to use timestamps? Why are messaging apps getting wrong things that IRC
was doing fine back in the 80's?)

To be honest, I'm not surprised.

~~~
thirdsun
Yes, everything they do feels rather sloppy - of course that doesn't stop any
of my "normal" friends from almost requiring it for any kind of messaging. A
necessary evil in my opinion.

------
skion
I love how exactly this mistake is covered in detail in the first week of Dan
Boneh's crypto course:

    
    
      https://class.coursera.org/crypto-008/class
    

The Russians made the same mistake in WWII, but Whatsapp shows the relevance
today.

------
frank_boyd
[https://heml.is/](https://heml.is/) currently looks like the best concept of
a solution to the problem - if they keep their promise:

> Will it be Open Source?

> We have all intentions of opening up the source as much as possible for
> scrutiny and help!

But it's not done yet.

~~~
NKCSS
And it only targets iOS and Android...

~~~
Sami_Lehtinen
Which are both bad platforms if you want to maintain privacy.

~~~
frank_boyd
Exactly. And it sucks donkey balls.

------
SnaKeZ
Alternative...Google Hangouts?

~~~
scott_karana
More secure in a sense, but why should anyone need to give the keys to their
instant messaging castle to Google?

I'm shocked that a startup with a similar approach to WhatsApp hasn't made a
reasonable rigorous application yet.

~~~
frank_boyd
> why should anyone need to give the keys to their instant messaging castle to
> Google?

Equivalent to cc'ing the NSA.

~~~
pathy
Let's be honest, I'd rather have NSA snoop on what on my texts than a
criminal. Both are bad but NSA is at least slightly better.

~~~
frank_boyd
The trick is to let _nobody_ snoop on your texts.

~~~
pathy
Which is, as we can see in the GP, is hard ;).

Whatsapp - broken encryption Google Hangout - NSA Texts - NSA (and others)
Facebook Messenger - NSA iMessage - probably NSA, though I don't know.

and so forth. Most commonly used text services are woefully leaky.

