Thailand infosecurity consultancy ACIS has published a paper detailing the security failings of Naver’s LINE instant messaging app. Researchers confirmed that LINE turned off encryption when on cellular data and went further to list all the information they could pick up from looking at the intercepted data stream.
Voice messages were uploaded via plain http in an unencrypted m4a format that could easily be reconstructed by a man-in-the-middle. LINE status updates, timeline posts, comments to those posts and user IDs were all clearly visible in plain text, in addition to the chat messages and server login tokens as revealed last week by TelecomAsia.
LINE is one of the world’s most popular OTT IM apps with over 230 million users worldwide and 18 million in Thailand alone.
The paper also looked at rivals Whatsapp and WeChat. Both those programs remained encrypted when on 3G as well as on Wi-Fi.
Naver was sent a copy of the research paper and asked to comment but has so far refused to provide any feedback on any of the reports.
ACIS founder and CEO Prinya Hom-Anek refused to be drawn into any conspiracy theories of mass surveillance and said that lack of security was probably simply a very bad design choice to improve performance. LINE has ambitious goals of soon attracting 400 million users. Adding encryption would have significantly increased costs and slowed response time.
However, Prinya did say that Naver should come clean about what has happened and simply update the app, enabling SSL.
“If I were LINE, I’d tell the facts and confess, not apologise, but tell users that this platform is insecure by design and built only for performance,” he said.
Kaspersky Labs was given access to the initial findings and senior security researcher Roel Schouwenberg responded with little surprise. He said that many IM services have unencrypted chat traffic and he has seen some apps with unencrypted login even over Wi-Fi.
“With IM and social media services it's convenience that matters most. The desire from the general public to have better security and privacy is relatively recent. There's no easy solution here.
“To fix these problems users can start demanding better privacy guarantees. Hopefully, it will become a competitive advantage for those companies with a strong focus on these issues,” he said.
Schouwenberg recommended that anyone with privacy concerns should look to a privacy plug-in.
One such plug in is the Off-The-Record (OTR) protocol developed by researchers at the University of Waterloo in Canada. On Android, the OTR client of choice is Gibberbot. TelecomAsia contacted Gibberbot’s creators at the Guardian Project and its founder and benevolent dictator Nathan Freitas, has this to say.
“I think it comes down to truth and honesty. If this is the way LINE functions, they should be forthright about it, and state ‘encryption is only used on public Wi-Fi networks, and not when on telecom operators 3G networks’. Simple as that, and then the consumer must be informed and can decide. They should understand that these are apps are no more secure than a normal phone call or SMS message, i.e. not secure or private at all.
“Your point about this new generation of apps wanting to avoid the troubles Blackberry had is right on. Blackberry was actually secure, until it was forced to modify their system and architecture. These new apps will do anything to be dominant, and obviously apps like WeChat are developed in contexts where the notion of privacy and security are a joke to begin with,” he said.
As for Gibberbot and the Guardian Project’s other privacy protection apps, Freitas said his project aims to empower individuals with the rights we believe they should have to protect their thoughts, dreams, ideas, and personal lives, no matter where they are on the planet.
“Our motivations our pure, our code is open, our cryptography is end-to-end, and we log nothing. Unless an app or service can say the same, it should not be trusted,” he said.
Of the analysts contacted by TelecomAsia, none cared to comment on the vulnerability apart from IDC.
Senior market analyst Neeranuch Kanokvilairat responded by saying that users do not expect security from free apps such as LINE and that casual chat, sending stickers and playing games have nothing related to business.
“I think no people talk about critical business topics in LINE, and they rather share business files or confidential information via corporate emails which have more security,” she said.
The argument for LINE security has now become two-pronged. On the one hand there is concern over man-in-the-middle attacks from individuals in state agencies, telcos, ISPs and fibre optic carriers listening in on private conversations. Thai police have claimed that LINE is secretly helping them to gain access to chat logs and this open back door would appear to be what they were talking about. On the other hand, there is the matter of privacy from third parties intercepting messages over the air due to lack of encryption especially over older 2G networks.
On that latter point, Dtac has moved to reassure users and has issued a statement that while they are still using the A5/1 encryption protocol when on 2G, a protocol known to have been compromised, it has hardened its network to prevent over the air eavesdropping.
A Dtac spokesperson said that the network forces frequent re-authentication with new cipher keys, updates TMSI frequently, forces frequency and channel hopping and also forces handovers between cells to make interception much harder.
AIS has previously said it has contacted Naver asking them to patch this security hole for the privacy of its subscribers.
Despite almost two weeks having passed since the story was first published, Naver seems to have done nothing to address these concerns. The session keys intercepted on 26 August are still valid 12 days later and can still be used to access Naver’s servers in Japan to pull historical chat logs.