A vulnerability was found within Facebook’s WhatsApp that could allow third parties like government spy agencies and companies to intercept and read the supposedly encrypted messages. WhatsApp is a free messaging and calling service used by 1 billion people worldwide and is favored by journalists and political activists on account of its secure end-to-end encryption.
Facebook acquired WhatsApp in 2014 for $22 billion and implemented the Signal encryption protocol in April 2016. The Signal protocol is considered a gold standard among security advocates, implementing military-grade end-to-end encryption for instant-messaging services by relying on the exchange and verification of unique security keys between users. When correctly implemented without a backdoor, it ensures that third parties, like Facebook employees, cannot intercept and read messages in transit. Theoretically, no one but the end users should even be in possession of the encryption key, but a backdoor was discovered by Tobias Boelter, cryptography and security researcher at the University of California, Berkeley, that could allow WhatsApp to decrypt its messaging records if ever subpoenaed by a government agency.
For quick reference: backdoors into technology enable third parties to access content unbeknownst to the primary party. The subject garnered public interest following the San Bernardino attack back in 2016.
Boelter discovered that WhatsApp possesses the ability to force the creation of new encryption keys for offline users without their knowledge, making the sender re-encrypt messages with new keys and send them again for any messages not yet marked as delivered. The recipient remains completely unaware of the re-encryption, while the sender receives a notification only if they’ve opted in to encryption warnings in the settings and only after the messages have been re-sent. As a result of the re-encryption and re-sending, WhatsApp can effectively intercept and read users’ messages.
According to the Guardian , Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organization for Human Rights, verified Boelter’s discovery. He said, “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message without letting users know of the change until after it has been made, providing an extremely insecure platform.”
The issue isn’t inherent to the Signal protocol itself, which was originally developed by Open Whisper Systems for use with their namesake Signal messaging app that incorporates the unbreakable AES-256-bit encryption standard. If a recipient alters the security key while offline, the outgoing message fails to deliver and the sender gets notified of the change in key; messages aren’t automatically re-sent as is the case with WhatsApp.
How does this affect you and should you be worried?
Facebook is unlikely to possess technology capable of analyzing the billions of messages in transit to profile users for advertising purposes. At the same time, it can still cross-reference phone numbers registered with WhatsApp to those on Facebook and target specific segments of its user base. If targeted advertising and data-mining concerns you, then yes, you should rescind WhatsApp.
Users concerned with avoiding government surveillance should immediately stop using the application.
What should you do?
Switch over to Open Whisper Systems’ Signal messaging app. Privacy advocates like Edward Snowden recommended Signal as a superior alternative to WhatsApp long before Boelter’s discovery.
His argument: While WhatsApp, Google’s Allo, and Signal implement the Signal E2EE encryption protocol, they differ on exactly what information is encrypted, when metadata gets collected, and what gets stored in the cloud. Looking closely at WhatsApp’s privacy policy , we see that WhatsApp reserves the right to collect metadata on who is messaging who and when. A more glaring security loophole exists in how WhatsApp handles backups. Despite offering end-to-end encryption, WhatsApp relies on your phone’s built-in encryption to store chat logs and, by default, offers online backups to third-party cloud providers like Google or iCloud.
What we love about Signal
Check out Signal’s privacy policy for yourself — it’s short and sweet, stating, “we cannot decrypt or otherwise access content of a call or message.”
Signal offers the same features as WhatsApp while maintaining an open source code. Open Whisper System is entirely crowd-funded by donations and grants, making no money from ads. Features include:
- End-to-end encryption
- Locally stored encryption keys
- No metadata storage, other than what day a user connected to the Signal server
- Use of cryptographic hash functions to hide phone numbers before sending them to the server
- No way to back up chat history in the cloud storage
Compared to WhatsApp’s user base, Signal’s is minuscule — the Google Play Store lists approximately 1 million downloads, so the main setback is that you’ll have to convince your friends and family to use it.
Source: Guardian , WhatsApp , and Open Whisper Systems
Image attribution: Dominic Lipinksy/PA
Advertisement
Learn more about Electronic Products Magazine
