WhatsApp is insecure. Myth or reality?
WhatsApp is no longer yet another instant messaging application, but is becoming a true social phenomenon. It is used by all kinds of users and it handles two billion messages per day.
In fact, it may even lead to social exclusion, as the people who do not use it become ‘expensive’ friends in the eyes of others and might see how the number of calls and messages received from friends is drastically reduced.
Leaving aside these questions, today most smartphone users use WhatsApp and, despite its tremendous popularity, security experts have brought to light other not-so-good aspects of the app, mainly the level of communication security provided by it.
Until recently, messages sent through the WhatsApp service were not encrypted. Thus, it was fairly simple to see the messages sent by other users as long as you were connected to the same network as them (for example, a public Wi-Fi network). To fix this, at the end of August a new version of WhatsApp was released which included message encryption to assure the user’s communication privacy.
However, it has been demonstrated that the encryption used is not robust enough so it is still possible to intercept communications even with this new version.
The problem stems from the fact that the encryption key used by WhatsApp for Android is a MD5 hash of the phone’s IMEI number in reverse format; that is, if you calculate your phone’s IMEI number MD5 hash and write it from right to left instead of from left to right, you’ll obtain the encryption key used by WhatsApp, and therefore will be able to decrypt the messages sent through the service. Additionally, on IOS devices (iPad/iPhone), WhatsApp creates its encryption key simply by doubling the Wi-Fi interface’s MAC address and generating an MD5 hash from it. Many voices claim that WhatsApp is insecure but, how risky is it really?
For a user to be able to intercept and decrypt the messages you send via WhatsApp, the following conditions must be met:
- They must be connected to the same Wi-Fi network as you. For example, a public Wi-Fi network.
- They must know your phone’s IMEI number (which is not easy).
- They should have sufficient computer knowledge as to be able to capture network traffic, calculate the MD5 hash of your IMEI number and decrypt the messages.
Once you know the risks, you just have to take some basic security measures to continue using the app without compromising your privacy:
- Avoid using WhatsApp on public Wi-Fi networks (airports, cafés, etc.). You never know who may be listening.
- Use certain basic security measures with your own Wi-Fi network. This way, you will prevent other users from connecting to it without your consent.
Note: Refer to your router user guide for more information on how to apply the following recommendations as instructions may vary between router manufacturers:
- Change the default password of your router or Wi-Fi access point.
- Secure data transmission, enabling WPA/WPA2 encryption.
- Enable MAC address filtering.