Drawing the Line on spying on internet chat users

Drawing the Line on spying on internet chat users

Thai police claim that the popular instant messaging app Line is secretly helping them to gain access to chat logs. Naver, its creator, has denied helping them and said it had not received any requests from the Thai police. Both statements are very right, and yet are very, very wrong.

It was Technology Crime Suppression Division commander Pol Maj Gen Pisit Pao-In's comments that got me thinking that there was more to this than meets the eye. This led to an investigation, published in detail in TelecomAsia, that uncovered how Line left its security wide-open so that almost any state or telecommunication company could access full chat history with minimal effort.

I found myself working with a communications network engineer who set out to see what kind of metadata he could learn about the Line protocol.

We were both shocked and surprised when we saw not just the metadata, but entire conversations played out in plain text with no encryption at all when on cellular data _ both 2G and 3G.

This would mean that anyone, from your telcos like AIS, Dtac or TrueMove to your ISP (CAT, TOT) to the cable carriers that link Thailand to Japan (probably via Malaysia and Singapore first), can all listen in and see your chats.

But that was not all.

We continued to look at the header metadata and it soon became clear Line was using a simple, easy-to-read format to communicate with the server in Japan. Using the information we observed, we created a tiny 20-line programme to ask the server in Japan for information using those tokens (a clump of data which locates the record containing metadata).

The tokens, which should have a very short life, could be used again and again. We could pull information from the chatroom at will, and even more shockingly, we found out we could pull historical chat logs up to two months old just by changing a couple of parameters in the request. As I write, it has been three days since the tokens were pulled and one day after the news of this vulnerability broke and the keys are still all valid.

It must be stressed that this was done just from looking at the communication logs, the chatter between the Line app and the server that is not encrypted _ and not from reverse engineering or even looking into the app itself, such is the lack of protection.

Anyone at your telco or cable company could listen in on your communications and see and copy the key. That key can then be used later to download logs directly from the servers in Japan with no questions asked. Perhaps Pol Maj Gen Pisit has access to a whole keyring of these tokens which he uses to listen in on his targets.

I approached shadow ICT minister Sirichok Sopha (he was the only politician returning my calls that day) and showed him the attack. He was shocked at the intrusion on privacy, especially since Democrat MPs use Line for communications within each working group.

It would be easy to write a headline, "Democracy in peril _ Line spies on opposition", but it would also be as easy to spy on Panthongtae Shinawatra's equally important communications with his father and aunt, so I doubt this is a partisan issue.

Thailand's number one telco, AIS, is aware of the issue according to the senior vice president for digital products Pratthana Leelapanang, who told me he had already asked Line to fix the problem for the privacy of its subscribers.

Soon after I started looking into this, I asked Line for clarification on a very worrying post in their engineering blog that said they decided not to use encryption to speed things up. This sounded like a very, very reckless thing to do.

The answer I received was very interesting. "When using Line, bugging and hacking on the users' communications are impossible. Fundamentally, telecommunication companies' wireless networks can't be hacked. Also, while using other networks, such as WiFi, hacking on Line is impossible since Line uses HTTPS. Also, all types of authorisation codes related with Line certification are completely encrypted. Therefore, hacking or random change in codes are basically impossible," the spokesperson replied.

So what he said is that when using WiFi, Line is encrypted and that the telcos data networks are secure. Both statements are true in isolation. But what it did not allude to was the insidious nature of Line that only turns on encryption when using WiFi and turns it off when using a cellular connection.

Pol Maj-Gen Pisit was right when he said that Line secretly cooperates with Thai police _ and in fact all authorities worldwide _ in providing chat data through leaving this gaping back door wide open.

Line was right, too, in saying that the Thai police had not asked for help as obviously they did not need to. Both were right in what they said but both were so wrong in their deeds.

People complain of dragnet surveillance by a secret court in the USA, but in this case there is no court oversight at all for a communications medium that 18 million Thais use day in, day out.

It would seem that in claiming their 15 minutes of fame, Thai police may have inadvertently blown open one of the world's biggest surveillance programmes. Why else could Line have so easily entered every country and rise up past 230 million users without running into any trouble the way BlackBerry and Nokia did in India and the Middle East?

Or it could be all Line users are happy, friendly people who like bunnies and teddy bears and do not spend their days thinking of ways to overthrow the state.

I am still waiting for a reply from Line. Its chief executive officer Morikawa Akria needs to come clean on what has happened here and for how long this lapse of security has been in place.

Yes, people, think of cute bluebirds and rainbows and allow the Thought Police to prevent you from committing any Thought Crimes while you drift off to sleep.


Don Sambandaraksa is technology writer at Telecom Asia and a former journalist with Database at the Bangkok Post.

Don Sambandaraksa

Database Reporter

Do you like the content of this article?
COMMENT (7)