New research has found the private and encrypted messages in WhatsApp can be intercepted by Facebook, because of the way WhatsApp has implemented its end-to-end encryption protocol.
Privacy campaigners have strongly criticised this news, suggesting this vulnerability could pose a ‘huge threat to freedom of speech’. The personal and sensitive information could be exploited by a number of bodies, including government agencies.
Kevin Bocek, chief cyber security strategist at Venafi shares this view and states that “the potential for governmental abuses from this misuse of encryption with WhatsApp is alarming”.
The security vulnerability was initially discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.
He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Alarmingly Boelter raised this issue with Facebook in April 2016, but the internet giant told him that it was “expected behaviour” and not being actively worked on. The Guardian have since verified that this vulnerability still exists.
>See also: WhatsApp’s end-to-end encryption ‘as fake as Kim Kardashian’s booty’ says hacker
Facebook had claimed that no one can intercept and read encrypted WhatsApp messages.
This new research rubbishes this statement, and raises serious questions about the privacy of over one billion users.
Privacy and security was WhatsApp’s main attraction and the reason for its unprecedented rise in the messaging platform world. Arguably the communications tool is now the most popular on the planet and is used by a range of people.
It is rumoured that WhatsApp is now working on structured messages for enterprises, as it plans to bring direct messaging to large numbers of the target audience. Could this latest news affect this endeavour?
WhatsApp’s end-to-end encryption was developed by Open Whisper Systems and its security is based on the constant generation of unique security keys, using Signal Protocol. These keys are traded and verified between users, which is meant to guarantee secure communication.
However…
As reported by the Guardian, the security backdoor allows WhatsApp to override these security keys for offline users. In turn the sender of the original message, unknowingly, re-encrypts the message with a new set of security keys. Any messages that have not been marked as delivered, as a result, will be sent with these new encryption keys once the user comes back online.
‘This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages’, says the report in the Guardian.
Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, commented on Boelter’s findings and said that “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”
“This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private,” confirmed Bocek.
>See also: Will WhatsApp trigger an encryption revolution?
“This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences.”
“Systems need to be in place to protect and change keys quickly, as and when needed. This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide.”
It should be noted that the Signal Protocol, operated by Open Whisper Systems, does not share this same vulnerability. In its instance if a sender/user goes offline, the message will simply fail to send and the user will be notified of any change to the security key of the message without the message automatically being sent once back online.
The security failing in WhatsApp’s code means these undelivered messages are automatically sent with new encryption keys once the user is back online. Effectively rendering ‘private’ messages as viewable.
Boelter said that some “might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
Government agencies
The question then remains, could government agencies access these ‘private’ messages via WhatsApp?
Patrick Arben, partner at the international law firm, Gowling WLG told Information Age that from a UK government perspective this would certainly be possible.
However, “it would need to be done within the framework of the Investigatory Powers Act which came into force in November of last year. The Act goes some way to simplifying the surveillance and investigatory powers and rights that were previously spread across multiple pieces of legislation. This area was ripe for reform in light of the Edward Snowden revelations and the ECJ’s finding that the Data Retention Directive was invalid in 2014, which led to the Data Retention and Investigatory Powers Act 2014 being rushed through Parliament in just 3 days.”
“The key issue is whether the safeguards built into the Act will be found to be in compliance with Article 8 if and when they come to be tested in the Courts. Whether access to private citizens’ communications is granted will need both ministerial and judicial authorisation overseen by the newly created investigatory powers commissioner. Even if in principle this system is found to be Article 8 compliant it is quite possible that individual warrants could be challenged through the judicial review process.”
WhatsApp’s response
A WhatsApp spokesperson told the Guardian: “Over 1 billion people use WhatsApp today because it is simple, fast, reliable and secure. At WhatsApp, we’ve always believed that people’s conversations should be secure and private. Last year, we gave all our users a better level of security by making every message, photo, video, file and call end-to-end encrypted by default”.
>See also: WhatsApp finally rolls out end-to-end encryption for a billion users
“As we introduce features like end-to-end encryption, we focus on keeping the product simple and take into consideration how it’s used every day around the world.”
“In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
In an updated statement a WhatsApp spokesperson said: WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.