Vulnerable ‘Security Backdoor’ Discovered in WhatsApp’s Encryption, Debunked as Being a Feature

17 Jan

By Anmol Sachdeva, The Tech Portal

Widely popular messaging app WhatsApp, owned by Facebook, has garnered immense praise for being one of the first to implement end-to-end encryption. On Friday, however, The Guardian has published a report to drag the company in the dirt due to the existence of a ‘security backdoor’ in its encryption mechanism. This caused tech and security enthusiasts to question the integrity of the claims and the messaging app.

According to the said report, this security vulnerability enables third parties like Facebook and other authorities to gain access to encrypted messages on the platform by intercepting them. This backdoor in WhatsApp has been discovered by Tobias Boelter, an independent security researcher at the University of California. He is expanding on a vulnerability discovered in the messaging app’s encryption methods back in April 2016.

Much like everybody else, WhatsApp has also implemented end-to-end encryption Signal Protocol across its platform. It is considered one of the most secure encryption technologies and has never been questioned, even after its source code being closed off. This technology has been developed by Open Whisper Systems.

Post the launch of private messaging in WhatsApp, Boelter uncovered a possible backdoor in the encryption methods of the service. He was able to discern that the problem stemmed from the implementation of the acclaimed Signal Protocol. He even reported it to Facebook back in April but received a reply saying it was “expected behavior.” And the social giant denied working on a possible fix for the same.

WhatsApp’s E2E encryption methods rely on generating unique security keys — which change on app reinstallation and handset swapping. These security keys are exchanged and verified while sending private messages in the app, thus cutting out the possibility of interception. And that’s where the backdoor lies.

Boelter is of the opinion that WhatsApp’s Signal Protocol implementation is flawed and forces generation of new security keys for offline users. This route is the vulnerability and will enable intruders to re-encrypt messages with new keys and send them without the knowledge of both the sender and receiver. This re-sending of messages effectively allows them to intercept and read the user’s encrypted WhatsApp messages.

Speaking on the same, he further adds,

If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.

However, not only WhatsApp but Open Whisper Systems has also rebuked the false story published by The Guardian. While WhatsApp has denied the inclusion of the backdoor, the security giant has also refuted the claims of an unruly implementation of their protocol in a blog post. It has simply stated that there is no backdoor but instead a design decision related to encrypted message delivery. It further adds,

It is great that the Guardian thinks privacy is something their readers should be concerned about. However, running a story like this without taking the time to carefully evaluate claims of a “backdoor” will ultimately only hurt their readers. We believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.

WhatsApp, on the other hand, has mentioned that the offline key generation feature has been implemented in such a manner to ensure that the message doesn’t get lost or fail to deliver. Thus, it automatically resends undelivered messages without notifying either the sender or the recipient. But they are made of changes in each other’s security keys, which is also a method of new key verification — which will show up if you’ve activated it from the settings.

With regards to the same, WhatsApp has dispensed the following statement:

The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.

WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.

Thus, you can ignore the multitude of reports flooding the interwebs and securely message your buddies using the messaging app. This will, however, make the user more aware of encryption and how their privacy is being maintained by the social networking giant. And if you’re completely aloof then you should know that Facebook now has access to some of your usage data from WhatsApp. The messaging giant had announced a change in its privacy policies last year, to start work on its enterprise services.

Facebook Comments