WhatsApp is no longer yet another instant messaging application, but is becoming a true social phenomenon. It is used by all kinds of users and it handles two billion messages per day.
In fact, it may even lead to social exclusion, as the people who do not use it become ‘expensive’ friends in the eyes of others and might see how the number of calls and messages received from friends is drastically reduced.
Leaving aside these questions, today most smartphone users use WhatsApp and, despite its tremendous popularity, security experts have brought to light other not-so-good aspects of the app, mainly the level of communication security provided by it.
Until recently, messages sent through the WhatsApp service were not encrypted. Thus, it was fairly simple to see the messages sent by other users as long as you were connected to the same network as them (for example, a public Wi-Fi network). To fix this, at the end of August a new version of WhatsApp was released which included message encryption to assure the user’s communication privacy.
However, it has been demonstrated that the encryption used is not robust enough so it is still possible to intercept communications even with this new version.
The problem stems from the fact that the encryption key used by WhatsApp for Android is a MD5 hash of the phone’s IMEI number in reverse format; that is, if you calculate your phone’s IMEI number MD5 hash and write it from right to left instead of from left to right, you’ll obtain the encryption key used by WhatsApp, and therefore will be able to decrypt the messages sent through the service. Additionally, on IOS devices (iPad/iPhone), WhatsApp creates its encryption key simply by doubling the Wi-Fi interface’s MAC address and generating an MD5 hash from it. Many voices claim that WhatsApp is insecure but, how risky is it really?
For a user to be able to intercept and decrypt the messages you send via WhatsApp, the following conditions must be met:
- They must be connected to the same Wi-Fi network as you. For example, a public Wi-Fi network.
- They must know your phone’s IMEI number (which is not easy).
- They should have sufficient computer knowledge as to be able to capture network traffic, calculate the MD5 hash of your IMEI number and decrypt the messages.
Once you know the risks, you just have to take some basic security measures to continue using the app without compromising your privacy:
- Avoid using WhatsApp on public Wi-Fi networks (airports, cafés, etc.). You never know who may be listening.
- Use certain basic security measures with your own Wi-Fi network. This way, you will prevent other users from connecting to it without your consent.
Note: Refer to your router user guide for more information on how to apply the following recommendations as instructions may vary between router manufacturers:
- Change the default password of your router or Wi-Fi access point.
- Secure data transmission, enabling WPA/WPA2 encryption.
- Enable MAC address filtering.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
9 comments
I don’t use this app but I appreciate that clear and objective point of view on such a security issue
i am a irregular user of what’s app, but this post captured my attention.
good analysis, balanced point of view and clear guidelines for recommendations – i like your post, thanks!
This information is WRONG! You just need to pieces of data to impersonate anyone; and you don’t have to be a pro, just use this website: http://whatsapp.filshmedia.net/
Here’s a better account of the situation: http://wnstnsmth.net/blog/2012/09/whats-up-with-whatsapp-a-summary-of-the-recent-security-flaws-for-the-ignorant-user
see guys don’t use this app. if you send an image throught it it will not be the same size at the receivers end size gets convrtd. it clearly shows that ur image is stored in their server. which is a very dangerous thing on your personal data. please be safe
This app is simply also damn good for the the pc. Wish they created it much easier to set up that it upon the computer.
I have had to pay twice this year to fix my computer more than I paid Panda to remove the FBI Virus (ransom). Is Panda going to fix this or do we have to change to a different virus protection. It is getting costly on top of Panda subscription.
Jose Muriel
jmuriel1@satx.rr.com
This is really amazing.