WhatsApp has made a big deal of its end-to-end encryption, claiming that it guarantees the privacy of its user’s communications. So, it will come as something of a revelation to many of its users that WhatsApp contains a security backdoor which enables parent company Facebook and potentially others, to access encrypted content.
The information has come to light in an exclusive report in the Guardian which is reporting the findings of Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.
WhatsApps end-to-end encryption uses the Signal protocol and a series of unique security keys which are traded between users. This should mean that no third party can access any data being communicated. The system was developed by Open Whisper Systems and is also used by Signal, another hugely popular encrypted messenger service.
However, Tobias Boelter has discovered that WhatsApp is able to force the creation of new encryption keys for users who are offline and force them to re-encrypt messages that have not been delivered using this new key. This process enables WhatsApp to access the content of the messages.
There is no warning given to the sender of the messages that this has taken place. And the recipient will only be aware that anything has happened if they have chosen to opt into encryption warnings in the WhatsApp settings.
This might sound like WhatsApp can only access the odd snatched passage, but Boelter insists it means much more. “Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message,” he explained.
It should be stressed that although Signal uses the same encryption protocol as WhatsApp, the same vulnerability is not present in their service. And the Guardian report emphasises that it is also not something that is “inherently present in the Signal protocol” either.
WhatsApp was popular before it introduced its end-to-end encryption, but it has made a big deal of it since introducing it. As they say on their website, “Privacy and security is in our DNA”. The introduction of end-to-end encryption has made WhatsApp hugely popular with political activists, campaigners, diplomats, and many other who rely on secure communications.
When all this is put together, the response of WhatsApp and its parent company Facebook, to this finding has been, to put it mildly, disappointing.
Tobias Boelter reported his findings to Facebook as far back as April 2016. Their response was that this was “expected behaviour” and not something they were looking to address.
A spokesperson for WhatsApp gave the Guardian a load of sales blather before saying that the most common reason security codes might change is that “someone has switched phones or reinstalled WhatsApp”. They said this was common in many parts of the world and WhatsApp didn’t want their messages to be lost.
However, they failed to respond to questions about whether WhatsApp and Facebook had accessed message content, or handed over message content to law enforcement and intelligence agencies. For this last section, they directed the Guardian to Facebook’s data on Government requests, which would suggest that the answer to that question is, ‘yes we have’.
The Guardian has confirmed that the vulnerability is still in place, nine months on from when Facebook was first alerted to it, and comments from them and WhatsApp suggests there are no plans to close it anytime soon.
Needless to say, commentators have been quick to condemn the floor and highlight how it can be used by law enforcement and intelligence agencies to access supposedly encrypted content.
Professor Kirsty Ball of the Centre for Research into Information, Surveillance and Privacy told the Guardian the vulnerability was “a gold mine for security agencies… and a huge betrayal of user trust [and] a threat to freedom of speech.”
According to Jim Killock of the Open Rights Group, “if companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws.”
User reactions are likely to be swift, with many relying on the WhatsApp’s so-called end-to-end encryption expected to abandon the service quickly for more reliable competitors like Signal.
Whether the news going public and the likely hit on user numbers will force WhatsApp and Facebook’s hand remains to be seen. But for many users, WhatsApp has never been the same since Facebook took it over, and no matter what claims for security might be made, they will not return to what is undoubtedly a badly damaged brand.