Viber begins fixing image-encryption vulnerability

The Android version of the messaging app no longer sends images and videos without encryption protection, and an iOS fix has been submitted, the company says.

Viber unencrypted data problem
Dan Hawke and his friends saw how Telecom New Zealand network protection software replaced an image (center) with a security-block graphic in the messaging app (left). At right is the view of the correct graphic that another friend on a different network saw in Viber. Dan Hawke

Viber has added encryption measures to its messaging app for Android and iOS so that network eavesdroppers no longer can see or tamper with unprotected images, video, and messages about a user's location.

The new Android version 4.3.1.21, released Tuesday, includes "enhancements to the way Viber handles photo, video and location messages," according to the Viber page on the Google Play app store. The iOS version of Viber remains unchanged since its April 23 release, but Viber last week said it's preparing a fix. On Wednesday, the company said the fix has been submitted to Apple.

Because images and videos are unencrypted by the earlier version of Viber, a user's private messages aren't actually private. Somebody with control over the network Viber is using can see and even modify them.

Viber logo
Viber

The problem isn't academic, either: New Zealand resident Dan Hawke and his friends actually saw it in action when sending images with Viber. The SecureMe software that Telecom New Zealand uses to oversee its store Wi-Fi networks stripped out images and replaced them with a "protected by SecureMe" graphic.

"The Viber application wasn't even able to notice that it had been intercepted by the hotspot, and if it was using encryption that shouldn't have been possible," said Hawke, who reported the problem to Viber on April 7.

Viber said last week: "We aren't aware of a single user who has been affected by this." Still, the company did respond to Hawke's email.

In that response, Viber also told Hawke, "Currently the only data that is encrypted are text messages. Phone numbers and contact information is not encrypted. The connection that is made when a caller places a call is encrypted, but the call itself (that is, the audio data) is not encrypted. We are currently developing an end-to-end secure call feature that will encrypt all calls."

Today, though, Viber said the customer service rep wasn't totally right. "Text messaging has always been encrypted and media files are encrypted on Android and will be encrypted on other platforms as well. Voice communication is scrambled, and call establishment is encrypted. User data such as contact info and phone numbers are saved in a secure manner, despite any mistaken information that was given by a support representative. Contact info and phone numbers have been encrypted since day one."

The earlier unencrypted approach meant Telecom New Zealand can scan its network use and remove the images. "If an in-store user attempts to access a website, download content, send or receive certain content types, or use a service that is not approved for access, the SecureMe device content filter will block the request and display an access denied message with the 'protected by SecureMe' splash page," company spokesman Richard Llewellyn said.

Researchers from the University of New Haven's Cyber Forensics Research & Education Group publicly demonstrated Viber's open transmission of the data April 23, a week after they also showed a similar but more limited weakness with a Viber messaging competitor, WhatsApp.

Although Viber is fixing the app, a related problem apparently remains: at least some of the unencrypted image and video data still is publicly available on Viber's Amazon Web Services repository. The researchers obtained the server location information by monitoring the Viber app's network activity, and CNET verified that the examples files they located are still there on April 30.

"Data is stored on the Viber Amazon Servers in an unencrypted format," the researchers said, and it's not deleted immediately. It also "can be easily accessed without any authentication mechanism."

Update, 11:06 a.m. PT: Added more Viber comment and Telecom New Zealand comment.

Viber Media CEO Talmon Marco
Viber Media CEO Talmon Marco speaks at Mobile World Congress 2014. Stephen Shankland/CNET

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments