WhatsApp backdoor: "A huge threat to freedom of speech"

A reported 'backdoor' in WhatsApp could undermine the security of private messages

WhatsApp has a backdoor that could allow Facebook to intercept and read encrypted messages, it is claimed.

According to a report in The Guardian, the way WhatsApp has implemented its end-to-end encryption protocol makes it possible for the company to access private messages, at least in theory.

As the report explains, WhatsApp's encryption "relies on the generation of unique security keys", created using Open Whisper Systems' Signal protocol. These unique keys are traded and verified between users, to ensure that the lines of communication are secure from middlemen.

So far, so good. But it turns out WhatsApp also allegedly has the ability to automatically resend undelivered messages, forcing the generation of new encryption keys unbeknownst to the receiver (the sender is only notified, after the message has been re-sent, if the user has opted-in to encryption warnings in settings). Crucially, this re-encryption could allow WhatsApp or another party to generate known keys, which would allow them to intercept and read the message.

This setup is not native to the Signal protocol, which will fail to deliver a message if the security key has been changed while offline. Instead, the vulnerability is down to WhatsApp's implementation of the protocol, which automatically resends an undelivered message with a new key.

Tobias Boelter, a security researcher from the University of California, Berkeley, discovered the vulnerability, and reported it to WhatsApp's owner, Facebook, in 2016. He was later told that it was "expected behaviour", and The Guardian reported that it has been able to verify that the backdoor still exists.

"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.

A WhatsApp spokesman denied this when approached by IT Pro, saying: "WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."

He added the suggestion that a government could force WhatsApp to give access was false, though The Guardian cited the Investigatory Powers Act's ability to require companies to remove "electronic protection" from data.

The backdoor was also verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. "WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform," he told the paper.

WhatsApp's supposed attention to information security, implementing end-to-end encryption for all messages in April last year, has made it a choice platform for dissidents, journalists and diplomats. Privacy advocates have damned this revelation of an alleged backdoor, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who said the vulnerability was "a huge threat to freedom of speech".

"If you're using WhatsApp to avoid government surveillance, stop now," tweeted The Guardian's Samuel Gibbs.

"Having a security backdoor that forces the generation of new encryption keys is bad enough. But not making the recipient aware of this change is highly unethical," said Jacob Ginsberg, senior director at encryption software company Echoworx. "It calls into question the security, privacy and credibility of the entire service and the business.

"The fact that Facebook has known about this vulnerability since April is doubly damning. Not only could this be seen by many as supporting on-going government data collection interventions, it means their talk of encryption and privacy has been nothing more than lip service. The company needs to actively address its security measures."

WhatsApp's spokesman told IT Pro: "WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'
Security

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'

3 Dec 2020
GitHub: Open source vulnerabilities can go undetected for four years
Security

GitHub: Open source vulnerabilities can go undetected for four years

3 Dec 2020
What is shoulder surfing?
Security

What is shoulder surfing?

2 Dec 2020
Security benefits of open virtualised RAN
Whitepaper

Security benefits of open virtualised RAN

2 Dec 2020

Most Popular

Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020
Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020