No encryption means easy compromise of Viber location data, communications

Share this article:
A physics expert believes the agency isn't any further along in its efforts.
Viber location data and communications is unencrypted and vulnerable.

The unencrypted way that images, doodles, videos and locations are stored, sent and received by cross-platform text message and voice over internet protocol (VoIP) service Viber is opening the door to data interception by attackers, or service providers.

Researchers with the University of New Haven (UNH) Cyber Forensics Research & Education Group uncovered the Viber vulnerabilities as part of their ongoing network forensic analysis of chatting applications, which led them to discover flaws in WhatsApp earlier this month.

“If you are on a local network, you can simply sniff traffic coming in and out of the router, thus grabbing all this data,” Ibrahim Baggili, director of the UNH cyber group, told SCMagazine.com in a Thursday email correspondence.

This means that Viber users connected to open access Wi-Fi in a coffee shop, for example, can be targeted by man-in-the-middle attacks, including rogue access points or Address Resolution Protocol (ARP) poisoning, Baggili said.

Another big issue is that the unencrypted data is moving through the internet provider. “This means that spying could easily occur on your traffic through the service provider, if a certain entity had access to that data, and wanted to target you specifically,” Baggili said.

The issue is compounded because Viber stores that data on Amazon servers without any authentication or encryption.

“A simple visit to a link will download the data,” Baggili said. “The data is still obviously stored on their network, and anyone that clicks on the link gets immediate access to it without verifying who the user is, and whether or not they have sufficient credentials to actually get to that data.”

The UNH cyber team is warning against using Viber until these bugs are fixed, according to a Tuesday post, which includes a link to a video that details the attack. Recommendations include encrypting the data over a tunnel when it is sent, as well as making sure stored data is encrypted and authentication is required for access.

A Viber spokesperson did not respond to a SCMagazine.com request for comment. Baggili said that Viber representatives did not respond to correspondence from the UNH cyber group, but he pointed to an article that states the company is working to fix the issues immediately.

Share this article:

Sign up to our newsletters

More in News

Leahy bill would end bulk data collection, introduce reforms

Leahy bill would end bulk data collection, introduce ...

Sen. Patrick Leahy introduced an NSA reform bill that would update the USA Freedom Act.

House passes two cyber security bills

One bill aims to improve agencies' website security, while another works to thwart critical infrastructure attacks.

A five-month-long Tor attack attempting to 'deanonymize' users

For roughly five months beginning in January, traffic confirmation attacks were used to attempt to "deanonymize" Tor users.