WhatsApp is one of the most widely used messengers across the universe and what better than the numbers which prove the point. That said the Facebook-owned company has been adding privacy features regularly and end to end encryption was one of them. Furthermore, Facebook has been claiming that no one can intercept WhatsApp messages and that includes the company and staff. But this claim stands to be challenged by a security vulnerability that will allow Facebook and others to intercept and read encrypted messages sent and received using WhatsApp.
State-sponsored cyber attacks are not something new and Privacy campaigners are wary that such a type of vulnerability can be used by government and other regulatory authorities to spy on users or as I prefer to say “person of interest”. Apparently, the staggering user base of WhatsApp magnifies the peril, especially since it has become one of the quintessential communication tools.
This is how it all happens, WhatsApp’s end-to-end encryption makes use of security key using the well known Signal Protocol by Open Whisper Systems. The keys are traded between the users and only after verification the communication is initiated. This theoretically assures that no middlemen or an intruder of any sorts can intercept the encrypted communication channel, However, WhatsApp can apparently force generate an encryption key for offline users and this happens behind a closed door, oblivious to the users.
The sender will not receive notification of any sort until and unless the sender has opted-in to encryption warnings in settings. Discovered by Tobias Boelter, a security researcher at the University of California, Berkeley was quoted as follows by the Guardian, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
OpenWhisper Systems has been the favorite of privacy advocates including the likes of Edward Snowden. The problem, however, does not seem to be induced at the OpenWhisper Systems end and Signal a messaging app that boasts of its privacy doesn’t suffer the same fate as the WhatsApp. In the case of Signal when a recipient changes the security key while offline the sent message will not be delivered and the sender will be notified about the change in the security key. WhatsApp automatically sends an undelivered message along with a new key with no control from the users to end to control it from happening. However, some of the security experts are contradicting the same and say it’s all about the choice between UI/UX and not exactly a backdoor.
Should key verification be a blocking or non-blocking user interaction? Signal chose blocking. WhatsApp chose non-blocking.#UXvsSecurity?
— Frederic Jacobs (@FredericJacobs) January 13, 2017
The WhatsApp vulnerability is still active and according to Boelter the company already knows about its existence. He further implies that Facebook keeps on flipping the keys while the user is offline and users will not now the changes, thus giving birth to a rather insecure platform. As if that was not enough WhatsApp can also allow for interception of complete conversation rather than just a single message.
Boelter’s analogy goes as follows, “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
All of this comes at a time when the UK passed the Investigatory Powers act amidst outcry and this allows the government to intercept the bulk of data from the private companies which is a shade similar to the one exposed by Snowden. Apart from that the power to force companies to “maintain technical capabilities” lies with the government and the private companies can also be made to retract electronic protection from the data. The use case somehow resonates with the WhatsApp vulnerability.
WhatsApp has replied to Guardians concern and says that this feature is designed to take care of people changing the SIM cards and devices and the company wants to make sure that the “people’s messages are delivered and not lost in transit.” According to me, WhatsApp should have just included a resend prompt which will notify the users of the change in key (might be a bad case of UX though). In its statement WhatsApp has further directed the concerned to its site that maintains a data on government requests by the country. Perhaps you could turn on the “Show Security Notifications” setting which will at least warn you before such an occurrence.
A spokesperson from WhatsApp reached out to us and rubbished the claims that the feature is a backdoor allowing for an interception. Following is a statement from WhatsApp, “WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. ”