No encryption means easy compromise of Viber location data, communications

Share this article:
A physics expert believes the agency isn't any further along in its efforts.
Viber location data and communications is unencrypted and vulnerable.

The unencrypted way that images, doodles, videos and locations are stored, sent and received by cross-platform text message and voice over internet protocol (VoIP) service Viber is opening the door to data interception by attackers, or service providers.

Researchers with the University of New Haven (UNH) Cyber Forensics Research & Education Group uncovered the Viber vulnerabilities as part of their ongoing network forensic analysis of chatting applications, which led them to discover flaws in WhatsApp earlier this month.

“If you are on a local network, you can simply sniff traffic coming in and out of the router, thus grabbing all this data,” Ibrahim Baggili, director of the UNH cyber group, told SCMagazine.com in a Thursday email correspondence.

This means that Viber users connected to open access Wi-Fi in a coffee shop, for example, can be targeted by man-in-the-middle attacks, including rogue access points or Address Resolution Protocol (ARP) poisoning, Baggili said.

Another big issue is that the unencrypted data is moving through the internet provider. “This means that spying could easily occur on your traffic through the service provider, if a certain entity had access to that data, and wanted to target you specifically,” Baggili said.

The issue is compounded because Viber stores that data on Amazon servers without any authentication or encryption.

“A simple visit to a link will download the data,” Baggili said. “The data is still obviously stored on their network, and anyone that clicks on the link gets immediate access to it without verifying who the user is, and whether or not they have sufficient credentials to actually get to that data.”

The UNH cyber team is warning against using Viber until these bugs are fixed, according to a Tuesday post, which includes a link to a video that details the attack. Recommendations include encrypting the data over a tunnel when it is sent, as well as making sure stored data is encrypted and authentication is required for access.

A Viber spokesperson did not respond to a SCMagazine.com request for comment. Baggili said that Viber representatives did not respond to correspondence from the UNH cyber group, but he pointed to an article that states the company is working to fix the issues immediately.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

President signs Executive Order to improve payment security

President signs Executive Order to improve payment security

President Obama signed an Executive Order at the Consumer Financial Protection Bureau calling for enhanced security measures, including microchips and PINs.

Security, tech firm coalition fights Hikit actors, other advanced groups

Security, tech firm coalition fights Hikit actors, other ...

The coalition began as an effort to stop the spread of the Hikit trojan, previously known for targeting U.S. defense contractors.

Phishing email delivers keylogger malware, also takes screenshots

Phishing email delivers keylogger malware, also takes screenshots

The malware has various features, including the ability to start persistently, take screenshots and bypass user access controls.