AMITIAE - Wednesday 28 August 2013
Cassandra: LINE IM app Vulnerable to Man-in-the-Middle Attack - HTTP Headers Hold Plaintext Keys to Retrieval of Chat Logs.
By Don Sambandaraksa
This revelation comes as controversy continues to rage over whether Thailand’s police are intruding on citizens’ privacy by listening in on LINE messages, or whether chat logs would, as Naver’s CEO claims, be only released when presented with a Japanese court order.
Using packet capture software it was possible to intercept a LINE chat session at the network level and reconstruct it on a PC. Messages were sent in clear text to LINE’s server when on cellular data but encrypted when using Wi-Fi most of the time.
Lack of encryption would mean that a man in the middle - an ISP, telco, or arguably the NSA, GCHQ or any of the members of the Axis of Espionage monitoring fiber cables between the user and the server in Japan - could easily listen in on private communications.
An industry network engineer who asked not to be identified presented these findings to TelecomAsia which then worked with him to verify and expand on the initial findings.
The team was able to write a 20-line python script that took the Cafe-ID a few other tokens intercepted from communication logs and used it to poll LINE's server with a simple HTTP JSON request for new messages in the group chat. With a little tweaking of the parameters it was possible to get historical chats of the group dating back up to just under two months.
It would be conceivable that somewhere there is someone with a whole keyring of important people’s chatroom IDs collected over time which they could use to listen in at will.
It also lends credence to the Thai Police’s claim that LINE was secretly helping them with access to user logs despite repeated denials from the company, both of which now appear to be grammatically correct if misleading.
Thailand’s number one telco AIS is aware of the issue according to SVP for digital products Pratthana Leelapanang. “We realize that the communication of some application is not encrypted. Even [though] it is not our operator service, we are officially requesting LINE to fix such problem to further customer privacy,” he said.
Another AIS executive said that the telco does not save HTTP header metadata or share it with authorities, only the IP source and destination addresses.
Nothing the spokesperson said addressed the weaknesses of a man-in-the-middle attack from someone within the telco or ISP or of the fact that LINE turned off encryption when on 3G, though the exact question was posed in an abstract form before the proof-of-concept attack was successfully carried out.
Dtac CEO Jon Eddy Abdullah dismissed the experiment as exceptional but that in the real world it was impossible to sniff the keys over the air with a modern, secure telecoms network.
Asked if Dtac was sharing HTTP header metadata information that could be used to download chat logs with the authorities, Abdullah responded according to script, “as we are a Thailand operator, we can allow [access to] any traffic via our core network only in the case that we have got formal requests from responsible public agency to do.”
Sirichok said that government cannot tell Naver how to write its software but it has a duty to present these issues to the public so they can make an informed decision as to whether or not to use the application given these severe privacy concerns.
TrueMove was contacted but did not reply at time of going to press.
In a small number of cases the LINE app connected to WiFi unencrypted though it is still unclear how and why that was so. This is of particular concern as all the major telcos run extensive hetnet unencrypted Wi-Fi offload networks.
For further information, e-mail to