Notebookcheck Logo

WeChat's custom encryption protocol under scrutiny

WeChat encryption vulnerabilities revealed in new study (Image source: Adem AY, Unsplash)
WeChat encryption vulnerabilities revealed in new study (Image source: Adem AY, Unsplash)
A recent Citizen Lab study reveals potential security flaws in WeChat's custom encryption protocol, MMTLS. Despite using two-layer encryption, the system exposes metadata and lacks forward secrecy.

The University of Toronto’s Citizen Lab folks recently investigated WeChat’s encryption and found some possible security flaws. With over a billion users logging in monthly, WeChat runs a customized version of the Transport Layer Security (TLS) 1.3 protocol, which they call MMTLS.

WeChat’s encryption is set up in two layers:

  1. Business-layer encryption: Encrypts the plaintext content
  2. MMTLS: Further encrypts the already encrypted content before transmission

Even with these two layers, the researchers ran into a few issues:

  • Business-layer encryption leaves important metadata unprotected, like user IDs and request URIs.
  • MMTLS uses deterministic initialization vectors (IVs), which goes against recommended cryptographic practices.
  • There’s no forward secrecy, which is vital for keeping things secure long-term.

Before 2016, WeChat only used business-layer encryption for its requests. Adding MMTLS was supposed to patch things up. Still, even though it made the app more secure by keeping the internal encryption harder to attack, the researchers say it’s still not entirely up to modern cryptographic standards for an app of this size.

The report points out a bigger issue in China’s tech scene: developers often build their own encryption systems instead of using well-known protocols like TLS 1.3 or QUIC, and these homegrown systems are usually less secure.

Citizen Lab thinks Tencent (WeChat’s parent company) should move to a standard TLS setup or use a TLS and QUIC combo to level up their security.

Source(s)

CitizenLab (in English) 

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
Mail Logo
Nathan Ali, 2024-10-21 (Update: 2024-10-24)