WhatsApp backdoor: “A huge threat to freedom of speech”

Thomas McMullan Read more January 13, 2017

Update: WhatsApp has given the following response:

WhatsApp backdoor: “A huge threat to freedom of speech”

“The Guardian posted a story his morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.“

Original story continues below.

–

WhatsApp has a backdoor that could allow Facebook to intercept and read encrypted messages.

That’s according to a report in The Guardian, which claims the way WhatsApp has implemented its end-to-end encryption protocol makes it possible for the company to access private messages, at least in theory.

As the report explains, WhatsApp’s encryption “relies on the generation of unique security keys”, created using Open Whisper Systems’ Signal protocol. These unique keys are traded and verified between users, to ensure that the lines of communication are secure from middlemen.

So far, so good. But it turns out WhatsApp also has the ability to automatically resend undelivered messages, forcing the generation of new encryption keys unbeknownst to the receiver (the sender is only notified, after the message has been re-sent, if the user has opted-in to encryption warnings in settings). Crucially, this re-encryption could allow WhatsApp or another party to generate known keys, which would allow them to intercept and read the message.

This setup is not native to the Signal protocol, which will fail to deliver a message if the security key has been changed while offline. Instead, the vulnerability is down to WhatsApp’s implementation of the protocol, which automatically resends an undelivered message with a new key.

Tobias Boelter, a security researcher from the University of California, Berkeley, discovered the vulnerability, and reported it to WhatsApp’s owners Facebook in 2016. He was later told that it was “expected behaviour”, and The Guardian has been able to verify that the backdoor still exists.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.

The backdoor was also verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform,” he told the paper.

WhatsApp supposed attention to information security has made it a choice platform for dissidents, journalists and diplomats. Privacy advocates have damned this revelation of an alleged backdoor, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who said the vulnerability was “a huge threat to freedom of speech”.

“If you’re using WhatsApp to avoid government surveillance, stop now,” tweeted The Guardian’s Samuel Gibbs.

“Having a security backdoor that forces the generation of new encryption keys is bad enough. But not making the recipient aware of this change is highly unethical,” said Jacob Ginsberg, senior director at encryption software company Echoworx. “It calls into question the security, privacy and credibility of the entire service and the business. The fact that Facebook has known about this vulnerability since April is doubly damming. Not only could this be seen by many as supporting on-going government data collection interventions, it means their talk of encryption and privacy has been nothing more than lip service. The company needs to actively address its security measures.”