A post popped up yesterday from Thijs Alkemade, a computer science and mathematics student at Utrecht University in The Netherlands. The post outlines a bit of the core encryption methods of WhatsApp, highlighting a few of the technical aspects of the service and also noting some big vulnerabilities.
If you can follow along with the original post, you can see that Thijs runs through two "mistakes" that WhatsApp uses in its methods, both of which are able to be exploited if someone has the know-how. Ultimately he determines that your WhatsApp messages can be decrypted given enough effort by a would-be snoop.
You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it.
Of course this is something that could be (and will need to be) fixed by WhatsApp to patch things up, so they could very well be corrected soon. He also notes that the problems could be avoided if WhatsApp were to use something like TLS (Transport Layer Security), which is exactly what BBM uses for their services.
From Andrew Bocking, Head of BBM for BlackBerry:
I can’t really speak to all of the technical aspects of the WhatsApp system. However people can rest assured that BBM remains a trusted private social network. Where other services may be vulnerable to unwanted snooping or eavesdropping, BBM increasingly uses standard TLS deployment to remove that vulnerability from our service. TLS is a well-known, well-studied protocol. To put it in every day context, this is the same technology used for internet banking.
Hearing things like this can't make cross-platform BBM get here soon enough. We know the demand is crazy high but we just need it to be released. Sadly we're over three weeks in since it was supposed to launch originally, and while it's still on the way, we have no idea when we'll actually see it. Thankfully when it does show up you can rest assured it will be a solid, private messaging service that won't have such issues or vulnerabilities. Something to keep in mind, in light of recent attacks on WhatsApp.