WhatsApp, Telegram, Viber and DefTalk as "secure" instant messaging applications

2015-08-26 00:00:00 +0100

“Politicians move from Viber to Telegram in fear of wiretapping”, announced Ukrainian media recently. Wow, that was really significant, qualitative change, so to say… The original news (Украинские политики массово переходят с Viber на Telegram из соображений безопасности) cited a number of politicians, members of parliament, who were concerned about their “private and sensitive” on Viber being used for blackmail. They came up with a number of “countermeasures”, such as periodically reinstall Viber or even — how radical — switch to Telegram.

Former FSB head Nikolai Patrushev on the other side criticised (Патрушев потребовал применить меры к использующим WhatsApp чиновникам) Russian officials for using applications like WhatsApp for potentially sensitive communications. Then, by end of 2015, another “secure” instant messaging application DefTalk hit the market becoming number one in sales at AppStore for Ukraine.

These news only show a tip of an iceberg really and they are in no way unique to Russia or Ukraine. Using instant messaging mobile apps for sensitive communications is widespread and, while in case of some medium-sized businesses it might be an acceptable risk, in politics it’s definitely unacceptable.

These applications, regardless of encryption or other security promises, simply aren’t suitable for highly classified communications. It’s not only about the applications, but the whole environment: mobile operating systems, hardware, software distribution channels, key management etc. You just cannot make them significanly more resistant to a government attacker than an old-school SMS message.

There are systems doing that properly on the market, but they are expensive (dedicated hardware) and challenging technologically — in traditional GSM you can’t really do this easily other than transferring encrypted voice in the data channel, which is not very unsuitable for that purpose. And there is usually a few seconds lag for key exchange. But that’s the cost of privacy and the cost of not having is usually much higher.

Back in 2014 we watched a spectacular security compromise, when European Union foreign policy chief Catherine Ashton chatted with Urmas Paet over apparently standard mobile connection, which was immediately picked up by some security service and passed to press with suitable interpretation (Estonia denies leaked call implicates Ukraine protesters in killings). The same happened soon after to Victoria Nuland and this time phone encryption was even literally mentioned — or lack of it, more precisely (Leaked call on Ukraine made on unencrypted cellphones -U.S. officials).

As simple as it is, there are no shortcuts there. Paet and Ashton might have been using something like Red Phone on their “civilian” phones, but it’s likely that even if they tried they’d quickly give up due to jitter and noise resulting from using the data channel.

Germany saw this threat and issued encrypted telephones to most of the key officials back in 2013 (German politicians to get encrypted phones). Polish ABW (Internal Security Agency) was even better and created government-wide system CATEL back in 2011 but there are mixed reports on its success, was, as some media reported that many politicials were concerned… of ABW wiretapping them and did not accept the encrypted phones (Kreml za blisko Belwederu: Rosja przechwytuje nasze rozmowy telefoniczne).

I wonder what they turned to, but I guess it was order of magnitude less secure that CATEL…