By Don Sambandaraksa
Southeast Asia correspondent for TelecomAsia

Naver LINE's IM app sends messages over 3G networks in clear text, offering no privacy from anyone eavesdropping from within the network. Furthermore its design means that group chat keys intercepted may be reused at a later date to gain access to full chat history dating back months.

Line has 200 million users worldwide with over 18 million in Thailand.

This revelation comes as controversy continues to rage over whether Thailand’s police are intruding on citizens’ privacy by listening in on LINE messages, or whether chat logs would, as Naver’s CEO claims, be only released when presented with a Japanese court order.

Using packet capture software it was possible to intercept a LINE chat session at the network level and reconstruct it on a PC. Messages were sent in clear text to LINE’s server when on cellular data but encrypted when using Wi-Fi most of the time.

Lack of encryption would mean that a man in the middle - an ISP, telco, or arguably the NSA, GCHQ or any of the members of the Axis of Espionage monitoring fiber cables between the user and the server in Japan - could easily listen in on private communications.

An industry network engineer who asked not to be identified presented these findings to TelecomAsia which then worked with him to verify and expand on the initial findings.

The team was able to write a 20-line python script that took the Cafe-ID a few other tokens intercepted from communication logs and used it to poll LINE's server with a simple HTTP JSON request for new messages in the group chat. With a little tweaking of the parameters it was possible to get historical chats of the group dating back up to just under two months.

It would be conceivable that somewhere there is someone with a whole keyring of important people’s chatroom IDs collected over time which they could use to listen in at will.

These findings beg the question whether Naver intentionally designed its protocol to be so weak and obfuscated the weakness from network administrators so they would not have any problems entering repressive markets the way BlackBerry faced most notably in India and the Middle East.

It also lends credence to the Thai Police’s claim that LINE was secretly helping them with access to user logs despite repeated denials from the company, both of which now appear to be grammatically correct if misleading.

Thailand’s number one telco AIS is aware of the issue according to SVP for digital products Pratthana Leelapanang. “We realize that the communication of some application is not encrypted. Even [though] it is not our operator service, we are officially requesting LINE to fix such problem to further customer privacy,” he said.

Another AIS executive said that the telco does not save HTTP header metadata or share it with authorities, only the IP source and destination addresses.

However, Naver was adamant that its network is secure when presented with an abstract outline of the attack. A spokesperson said, “When using LINE, bugging and hacking on the users’ communications are impossible. Fundamentally, telecommunication companies’ wireless networks can’t be hacked. Also, while using other networks, such as WiFi, hacking on LINE is impossible since LINE uses HTTPS. Also, all types of authorization codes related with LINE certification are completely encrypted. Therefore, hacking or random change in codes are basically impossible.”

Nothing the spokesperson said addressed the weaknesses of a man-in-the-middle attack from someone within the telco or ISP or of the fact that LINE turned off encryption when on 3G, though the exact question was posed in an abstract form before the proof-of-concept attack was successfully carried out.

Dtac CEO Jon Eddy Abdullah dismissed the experiment as exceptional but that in the real world it was impossible to sniff the keys over the air with a modern, secure telecoms network.

Asked if Dtac was sharing HTTP header metadata information that could be used to download chat logs with the authorities, Abdullah responded according to script, “as we are a Thailand operator, we can allow [access to] any traffic via our core network only in the case that we have got formal requests from responsible public agency to do.”

Shadow ICT Minister Sirichok Sopha was taken aback when presented with the findings. The opposition Democrat party uses LINE for much of its internal communications and he would be taking the matter up with Naver and warning the party of this attack vector immediately.

Sirichok said that government cannot tell Naver how to write its software but it has a duty to present these issues to the public so they can make an informed decision as to whether or not to use the application given these severe privacy concerns.

TrueMove was contacted but did not reply at time of going to press.

The session keys used to retrieve chat logs may have an expiry date, but that was not evident during the duration of the study. 24 hours after the script was created, the same keys still managed to pull chat logs from Naver’s servers.

In a small number of cases the LINE app connected to WiFi unencrypted though it is still unclear how and why that was so. This is of particular concern as all the major telcos run extensive hetnet unencrypted Wi-Fi offload networks.

Additional reporting thanks to Suchit Leesa-nguansuk, Senior Reporter at the Bangkok Post