Yes we should be concerned about the WhatsApp ‘security bug’

WhatsApp is again under the spotlight for privacy issues. The Guardian reported on 13 January that a researcher from the University of California had found a security backdoor in the software. Through this backdoor, it would be possible to intercept messages, even if they are encrypted. And although a BBC Newsbeat article tried to downplay the weakness, it’s clear that there’s a problem.

End-to-end encryption

Last April, WhatsApp turned its end-to-end encryption protocol to every message sent through the platform by default.

The way this protocol works is that the sender’s device encrypts the message when it leaves, and the receiver’s device decrypts it when it arrives. Only the receiver has the key to decipher the message, which means that the platform is unable to read it. This is one of the assets of the protocol. Because even if a court order demanded access to the conversations, the companies that use it would be unable to comply with the order.

But this may no longer be the case for WhatsApp. Tobias Boelter, the researcher who found the backdoor, told The Guardian:

If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.

A deficient implementation

The specific end-to-end protocol used by WhatsApp is a product of Open Whisper Systems. Signal, the messaging platform used by Edward Snowden and deemed the most secure by experts, uses the very same protocol.

I use Signal every day. #notesforFBI (Spoiler: they already know) https://t.co/KNy0xppsN0

— Edward Snowden (@Snowden) November 2, 2015

Despite using the same protocol, the backdoor found in WhatsApp is not present in Signal. Instead, the problem lies in the way that WhatsApp implemented the protocol on its platform.

In WhatsApp, if a message is not delivered, the programme can generate new keys, use them to re-encrypt the message, and send it again. What this means is that if an attacker registers in WhatsApp using the receiver’s number, the program will re-encrypt the message using the attacker’s key and send it to him. The legitimate receiver will not receive the message, and WhatsApp will only alert the sender if they have opted in to encryption warnings.

According to Facebook, which owns WhatsApp, the flaw is not a bug, but actually a feature. Thanks to this, people who change their phones or SIM cards will still receive their messages:

This is because in many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.

Boelter reported the backdoor to Facebook in April 2016, before posting it on his blog. Facebook replied, admitting that it was aware of the problem, but was not going to do anything about it.

We were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing

Open source

Many security experts insist that the most secure channels are those that use open source software, such as Signal. With proprietary software, users have no way of verifying a company’s claims. Also, users can constantly challenge and improve open source software. This way, developers can promptly fix errors and the software becomes more robust.

Boelter himself supports this view:

Proprietary closed-source crypto software is the wrong path. After all, this potentially malicious code handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.

Online security has become a crucial element of our democracies. With laws like the recently approved Investigatory Power Act, governments will have great powers to peek into everything we do. And as such, we should all worry. Even those of us who believe we have nothing to hide.

UPDATE

It’s been brought to our attention that the use of the term “backdoor” is not strictly correct in this particular case.

Whisper Systems has issued an article setting out its position and expressing disappointment with the way The Guardian initially reported the story.

We would also point readers towards some excellent explanatory pieces from the Electronic Frontier Foundation and the Open Rights Group.

We apologise for not picking up the inaccuracy before publication and hope that with these linked articles, readers will now be able to obtain a broader understanding of the topic.

Get Involved!

– Read more articles about online privacy in The Canary.

– Learn how to write a blog securely.

Featured image via Flickr