WhatsApp backdoor: "A huge threat to freedom of speech"

A reported 'backdoor' in WhatsApp could undermine the security of private messages

WhatsApp has a backdoor that could allow Facebook to intercept and read encrypted messages, it is claimed.

According to a report in The Guardian, the way WhatsApp has implemented its end-to-end encryption protocol makes it possible for the company to access private messages, at least in theory.

As the report explains, WhatsApp's encryption "relies on the generation of unique security keys", created using Open Whisper Systems' Signal protocol. These unique keys are traded and verified between users, to ensure that the lines of communication are secure from middlemen.

Advertisement - Article continues below

So far, so good. But it turns out WhatsApp also allegedly has the ability to automatically resend undelivered messages, forcing the generation of new encryption keys unbeknownst to the receiver (the sender is only notified, after the message has been re-sent, if the user has opted-in to encryption warnings in settings). Crucially, this re-encryption could allow WhatsApp or another party to generate known keys, which would allow them to intercept and read the message.

This setup is not native to the Signal protocol, which will fail to deliver a message if the security key has been changed while offline. Instead, the vulnerability is down to WhatsApp's implementation of the protocol, which automatically resends an undelivered message with a new key.

Advertisement
Advertisement - Article continues below

Tobias Boelter, a security researcher from the University of California, Berkeley, discovered the vulnerability, and reported it to WhatsApp's owner, Facebook, in 2016. He was later told that it was "expected behaviour", and The Guardian reported that it has been able to verify that the backdoor still exists.

Advertisement - Article continues below

"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.

A WhatsApp spokesman denied this when approached by IT Pro, saying: "WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."

He added the suggestion that a government could force WhatsApp to give access was false, though The Guardian cited the Investigatory Powers Act's ability to require companies to remove "electronic protection" from data.

The backdoor was also verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. "WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform," he told the paper.

Advertisement - Article continues below

WhatsApp's supposed attention to information security, implementing end-to-end encryption for all messages in April last year, has made it a choice platform for dissidents, journalists and diplomats. Privacy advocates have damned this revelation of an alleged backdoor, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who said the vulnerability was "a huge threat to freedom of speech".

"If you're using WhatsApp to avoid government surveillance, stop now," tweeted The Guardian's Samuel Gibbs.

"Having a security backdoor that forces the generation of new encryption keys is bad enough. But not making the recipient aware of this change is highly unethical," said Jacob Ginsberg, senior director at encryption software company Echoworx. "It calls into question the security, privacy and credibility of the entire service and the business.

"The fact that Facebook has known about this vulnerability since April is doubly damning. Not only could this be seen by many as supporting on-going government data collection interventions, it means their talk of encryption and privacy has been nothing more than lip service. The company needs to actively address its security measures."

WhatsApp's spokesman told IT Pro: "WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/security/exploits/355866/critical-vmware-cloud-director-exploit-lets-hackers-seize-corporate
exploits

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020