Yes we should be concerned about the WhatsApp ‘security bug’

Whatsapp phone

WhatsApp is again under the spotlight for privacy issues. The Guardian reported on 13 January that a researcher from the University of California had found a security backdoor in the software. Through this backdoor, it would be possible to intercept messages, even if they are encrypted. And although a BBC Newsbeat article tried to downplay the weakness, it’s clear that there’s a problem.

End-to-end encryption

Last April, WhatsApp turned its end-to-end encryption protocol to every message sent through the platform by default.

The way this protocol works is that the sender’s device encrypts the message when it leaves, and the receiver’s device decrypts it when it arrives. Only the receiver has the key to decipher the message, which means that the platform is unable to read it. This is one of the assets of the protocol. Because even if a court order demanded access to the conversations, the companies that use it would be unable to comply with the order.

But this may no longer be the case for WhatsApp. Tobias Boelter, the researcher who found the backdoor, told The Guardian:

If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.

A deficient implementation

The specific end-to-end protocol used by WhatsApp is a product of Open Whisper Systems. Signal, the messaging platform used by Edward Snowden and deemed the most secure by experts, uses the very same protocol.

Read on...

Despite using the same protocol, the backdoor found in WhatsApp is not present in Signal. Instead, the problem lies in the way that WhatsApp implemented the protocol on its platform.

In WhatsApp, if a message is not delivered, the programme can generate new keys, use them to re-encrypt the message, and send it again. What this means is that if an attacker registers in WhatsApp using the receiver’s number, the program will re-encrypt the message using the attacker’s key and send it to him. The legitimate receiver will not receive the message, and WhatsApp will only alert the sender if they have opted in to encryption warnings.

According to Facebook, which owns WhatsApp, the flaw is not a bug, but actually a feature. Thanks to this, people who change their phones or SIM cards will still receive their messages:

This is because in many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.

Boelter reported the backdoor to Facebook in April 2016, before posting it on his blog. Facebook replied, admitting that it was aware of the problem, but was not going to do anything about it.

We were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing

Open source

Many security experts insist that the most secure channels are those that use open source software, such as Signal. With proprietary software, users have no way of verifying a company’s claims. Also, users can constantly challenge and improve open source software. This way, developers can promptly fix errors and the software becomes more robust.

Boelter himself supports this view:

Proprietary closed-source crypto software is the wrong path. After all, this potentially malicious code handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.

Online security has become a crucial element of our democracies. With laws like the recently approved Investigatory Power Act, governments will have great powers to peek into everything we do. And as such, we should all worry. Even those of us who believe we have nothing to hide.

UPDATE

It’s been brought to our attention that the use of the term “backdoor” is not strictly correct in this particular case.

Whisper Systems has issued an article setting out its position and expressing disappointment with the way The Guardian initially reported the story.

We would also point readers towards some excellent explanatory pieces from the Electronic Frontier Foundation and the Open Rights Group.

We apologise for not picking up the inaccuracy before publication and hope that with these linked articles, readers will now be able to obtain a broader understanding of the topic.

Get Involved!

– Read more articles about online privacy in The Canary.

– Learn how to write a blog securely.

Featured image via Flickr

We need your help to keep speaking the truth

Every story that you have come to us with; each injustice you have asked us to investigate; every campaign we have fought; each of your unheard voices we amplified; we do this for you. We are making a difference on your behalf.

Our fight is your fight. You’ve supported our collective struggle every time you gave us a like; and every time you shared our work across social media. Now we need you to support us with a monthly donation.

We have published nearly 2,000 articles and over 50 films in 2021. And we want to do this and more in 2022 but we don’t have enough money to go on at this pace. So, if you value our work and want us to continue then please join us and be part of The Canary family.

In return, you get:

* Advert free reading experience
* Quarterly group video call with the Editor-in-Chief
* Behind the scenes monthly e-newsletter
* 20% discount in our shop

Almost all of our spending goes to the people who make The Canary’s content. So your contribution directly supports our writers and enables us to continue to do what we do: speaking truth, powered by you. We have weathered many attempts to shut us down and silence our vital opposition to an increasingly fascist government and right-wing mainstream media.

With your help we can continue:

* Holding political and state power to account
* Advocating for the people the system marginalises
* Being a media outlet that upholds the highest standards
* Campaigning on the issues others won’t
* Putting your lives central to everything we do

We are a drop of truth in an ocean of deceit. But we can’t do this without your support. So please, can you help us continue the fight?

The Canary Support us

Comments are closed