No encryption means easy compromise of Viber location data, communications

Share this article:
A physics expert believes the agency isn't any further along in its efforts.
Viber location data and communications is unencrypted and vulnerable.

The unencrypted way that images, doodles, videos and locations are stored, sent and received by cross-platform text message and voice over internet protocol (VoIP) service Viber is opening the door to data interception by attackers, or service providers.

Researchers with the University of New Haven (UNH) Cyber Forensics Research & Education Group uncovered the Viber vulnerabilities as part of their ongoing network forensic analysis of chatting applications, which led them to discover flaws in WhatsApp earlier this month.

“If you are on a local network, you can simply sniff traffic coming in and out of the router, thus grabbing all this data,” Ibrahim Baggili, director of the UNH cyber group, told in a Thursday email correspondence.

This means that Viber users connected to open access Wi-Fi in a coffee shop, for example, can be targeted by man-in-the-middle attacks, including rogue access points or Address Resolution Protocol (ARP) poisoning, Baggili said.

Another big issue is that the unencrypted data is moving through the internet provider. “This means that spying could easily occur on your traffic through the service provider, if a certain entity had access to that data, and wanted to target you specifically,” Baggili said.

The issue is compounded because Viber stores that data on Amazon servers without any authentication or encryption.

“A simple visit to a link will download the data,” Baggili said. “The data is still obviously stored on their network, and anyone that clicks on the link gets immediate access to it without verifying who the user is, and whether or not they have sufficient credentials to actually get to that data.”

The UNH cyber team is warning against using Viber until these bugs are fixed, according to a Tuesday post, which includes a link to a video that details the attack. Recommendations include encrypting the data over a tunnel when it is sent, as well as making sure stored data is encrypted and authentication is required for access.

A Viber spokesperson did not respond to a request for comment. Baggili said that Viber representatives did not respond to correspondence from the UNH cyber group, but he pointed to an article that states the company is working to fix the issues immediately.

Share this article:

Sign up to our newsletters

More in News

Community Health Systems faces lawsuit related to data breach

The suit claims the hospital operator failed to meet security standards to protect the personal information belonging to patients.

Norwegian oil companies targeted in string of attacks

More than 300 companies are being warned to check their systems after at least 50 oil companies confirmed that their systems were attacked.

Possible payment card breach at Dairy Queen stores

Several financial institutions are reporting payment card fraud activity on credit and debit cards used at various Dairy Queen stores around the country, according to Brian Krebs.