Naver has announced that its simple LINE Pokopang game has achieved 10 million downloads only two months after its release, furthering LINE’s popularity as a gaming platform.
However, the company has remained silent over the security failings revealed by TelecomAsia
which show the messaging app switching off encryption when on 3G, leaving all message and authorisation tokens visible in plain text and open to a man-in-the-middle attack.
Since then, it has been confirmed that this behaviour is also inherent on the iOS version of LINE and also when on 2G EDGE.
The latter is of particular concern as at least two out of the three major operators in Thailand, if not all three, have been confirmed to still be using the compromised 16-year-old, 64-bit A5/1 encryption protocol on 2G.
In 2010, Researcher Karsten Nohl proved that A5/1 could be broken with computers costing as little as $4,000. All the equipment including radios and high-end gaming PC needed to intercept and decrypt a GSM session in under a minute would cost as little as $30,000 back then.
Meanwhile, the authentication token that TelecomAsia was able to retrieve in plain text on Sunday has still not expired four days later. It can still retrieve historical chat logs direct from Naver’s servers in Japan with a simple JSON HTTP request, with no additional authentication requested.
This is in addition to the inherent weakness of unencrypted communications meaning that any man in the middle - from telcos to fibre operators - could intercept the key and use it to browse through users chat history at leisure.
The vulnerability has since been independently confirmed by members of the general public. On Thursday morning a Twitter user by the name of @wetfdstamp was among the first to post screenshots of his own intercepted 3G LINE session showing messages unencrypted in clear text.
The social media buzz is loudest in Spain, the first European country where LINE reached over 10 million users.