Popular mobile messaging service Line is under pressure in Thailand — its second largest market — where a media report has claimed that messages sent across its service are vulnerable to interception from third parties.
Reporters at Telecom Asia say they were able to intercept a chat session on Line using packet capture software, going on to reproduce the content on a PC. They observed that messages were sent in clear text while using cellular data, while information was encrypted “most of the time” when using WiFi.
Furthermore, they maintain that group chat keys could be used to gain access to past chat logs, if intercepted.
That first half of that conclusion appears to be backed up by Line. A January blog post explaining how it embraced the SPDY protocol includes the following — emphasis ours:
We allow for non-encrypted connections. SPDY is usually used with TLS, but this slows down connection times and transfers–especially over mobile connections. Thus we decided to allow for non-encrypted connections over a mobile network.
The implication of this finding is that content from the messaging service can be accessed by third parties, such as an operator, ISP or hackers who are equipped with the right tools.
Line — which counts 18 million of its 230 million user base in Thailand — didn’t dispute that it doesn’t encrypt messages over cellular, but instead appeared to argue the security of mobile networks with the following statement:
When using Line, bugging and hacking on the users’ communications are impossible. Fundamentally, telecommunication companies’ wireless networks can’t be hacked. Also, while using other networks, such as WiFi, hacking on Line is impossible since Line uses HTTPS. Also, all types of authorization codes related with Line certification are completely encrypted. Therefore, hacking or random change in codes are basically impossible.
Thai police earlier this month voiced their intention to monitor messages sent across the popular service, although Line denied that it was complicit in the plan and that such an arrangement was even possible. These new claims suggest that some form of monitoring may be possible after all — the question is whether this is down to lax security or a deliberate, uncommunicated hole.
➤ LINE vulnerable to man-in-the-middle attack [Telecom Asia]
Headline image via TNW