CybersecurityFacebook-WhatsApp deal raises security concerns
Facebook’s acquisition of WhatsApp made headlines for its sheer size — $4 billion in cash and $15 in Facebook stock, for a total of about $19 billion – but security experts are worried about the security aspects of the deal. Even security specialists advising WhatApp’s customers not to panic about the deal, use language which is not exactly reassuring. Serge Malenkovich of Kaspersky Labs says: “There are no new [emphasis in original] reasons to worry about messaging privacy. Honestly speaking, WhatsApp was never meant to be a true confidential messaging tool; there were even multiple breaches in the past, including some attacks, which make eavesdropping possible.”
Facebook’s acquisition of WhatsApp made headlines for its sheer size — $4 billion in cash and $15 in Facebook stock, for a total of about $19 billion – but security experts are worried about the security aspects of the deal.
Describing its security policies, WhatsApp says on that “communication between your phone and our server is fully encrypted.” The company does remind its customers that when they a send a message to another device, that device may not be secure, but it adds that the company does not store chat history and that it wipes messages off its system immediately after these messages are delivered.
Yahoo News reports, however, that security experts that WhatsApp’s system, which is currently used by about 430 million customers, may be vulnerable.
Paul Jauregui of Austin, Texas-based security firm Praetorian said in a blog post last week that WhatsApp security and encryption are not ideal, citing vulnerabilities in the way it handles SSL, the secure socket layer protocol for communications.
Praetorian’s mobile security test “picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers,” Jauregui wrote.
“This is the kind of stuff the NSA (National Security Agency) would love. It basically allows them — or an attacker — to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk.”
Jauregui added that Praetorian would need authorization from Facebook and WhatsApp to do a more thorough security evaluation, and says it would be “not very difficult” to patch the security flaws.
Note: Jauregui outlined his concerns with WhatsApp’s SSL-related security issues in his post of Thursday, 20 February. On Friday, 21 February, he updated his post to say:
The WhatsApp team told us they are actively working on adding SSL pinning to their clients and we no longer find evidence of export ciphers, null ciphers, or SSLv2 support. Credit should be given to the WhatsApp team for implementing these fixes so quickly! (Emphasis in original)
Across the Atlantic, the data commissioner in the state of Schleswig-Holstein said last Thursday that the deal raises serious privacy concerns and that WhatsApp does not comply with European data protection rules.