LINE vulnerability confirmed by ACIS

Don Sambandaraksa
06 Sep 2013
00:00
As for Gibberbot and the Guardian Project’s other privacy protection apps, Freitas said his project aims to empower individuals with the rights we believe they should have to protect their thoughts, dreams, ideas, and personal lives, no matter where they are on the planet.
“Our motivations our pure, our code is open, our cryptography is end-to-end, and we log nothing. Unless an app or service can say the same, it should not be trusted,” he said.
Of the analysts contacted by TelecomAsia, none cared to comment on the vulnerability apart from IDC.
Senior market analyst Neeranuch Kanokvilairat responded by saying that users do not expect security from free apps such as LINE and that casual chat, sending stickers and playing games have nothing related to business.
“I think no people talk about critical business topics in LINE, and they rather share business files or confidential information via corporate emails which have more security,” she said.
The argument for LINE security has now become two-pronged. On the one hand there is concern over man-in-the-middle attacks from individuals in state agencies, telcos, ISPs and fibre optic carriers listening in on private conversations. Thai police have claimed that LINE is secretly helping them to gain access to chat logs and this open back door would appear to be what they were talking about. On the other hand, there is the matter of privacy from third parties intercepting messages over the air due to lack of encryption especially over older 2G networks.
On that latter point, Dtac has moved to reassure users and has issued a statement that while they are still using the A5/1 encryption protocol when on 2G, a protocol known to have been compromised, it has hardened its network to prevent over the air eavesdropping.
A Dtac spokesperson said that the network forces frequent re-authentication with new cipher keys, updates TMSI frequently, forces frequency and channel hopping and also forces handovers between cells to make interception much harder.
AIS has previously said it has contacted Naver asking them to patch this security hole for the privacy of its subscribers.
Despite almost two weeks having passed since the story was first published, Naver seems to have done nothing to address these concerns. The session keys intercepted on 26 August are still valid 12 days later and can still be used to access Naver’s servers in Japan to pull historical chat logs.

Pages

Follow Telecom Asia Sport!
Comments
No Comments Yet! Be the first to share what you think!
This website uses cookies
This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.