14 DAY TRIAL // Thijs Alkemade, a Computer Science and Mathematics student at Utrecht University in the Netherlands, warns that hackers can decrypt WhatsApp messages by exploiting flaws in the encryption protocol.
According to the expert, WhatsApp has made two mistakes: using the same encryption key in both directions, and using the same HMAC key in both directions.
“You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it,” Alkemade explained.
The expert suggests that WhatsApp should use solutions that have already been “reviewed, updated and fixed,” such as TLS.
To demonstrate his findings, the expert has published a proof-of-concept written in Python. Additional technical details and the proof-of-concept are available on Alkemade’s blog.
Update. WhatsApp representatives have told Ars Technica’s Dan Goodin that the scenario described by the expert is “more theoretical in nature.”
The company says the statement that all conversations should be considered compromised is inaccurate, and called Alkemade’s post “sensationalized and overblown.”