According the research, it appears that due to a security gap in WhatsApp messaging, government agencies and Facebook may be able to read user messages.
Privacy concerns and fears arose after Tobias Boelter, who researches security at the University of California, Berkley, came across an issue with end-to-end encryption methods for the app – a method added last year as a privacy measure.
What this means is that the company may be able to ‘intercept messages’ that are sent whilst the user is not online, forwarding them to another device without the knowledge of either party. Where a user does not have security notifications enabled the message may still be sent as usual, with parties unaware of the interception.
“If WhatsApp was asked by a government agency to disclose its messaging records it can effectively grant access due to the change in keys,” Boelter told the Guardian.
This loop hole, which appears to uniquely affect WhatsApp instead of the Signal security protocol it utilises, also enables access to much longer communications such as transcripts. This is a situation considered especially worrying for journalists, activists and every day citizens of countries under oppression.
“[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
Boelter notified Facebook about the vulnerability in spring 2016, but the company described it as “expected behaviour” and no attempt has been made to remedy the issue.
Experts describe the news as “serious” and “alarming” in an era when governments are searching for means to bypass encryption – slating the company for privacy violations.
“The potential for government abuses from this misuse of encryption with WhatsApp is alarming,” said Kevin Bocek, chief cyber security strategist at Venafi. “This is a serious vulnerability.”
Bocek strongly recommends companies to incorporate systems that protect cryptographic keys as soon as possible. “This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy, a basic right for people worldwide.”
WhatsApp confirmed that it put the ‘backdoor’ into place to simplify functionality for users – with the main reason for altering security codes being an instance where a user switches device or re-installs the app.
“In many parts of the world, people frequently change devices and Sim cards,” the company said. “In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
WhatsApp did not comment on the possibility of the flaw being used to help law enforcement and government agencies, sending on media enquiries to Facebook’s Transparency Report.
Protecting your messages:
WhatsApp users can make changes to their settings in order to be alerted of encryption changes. This would result in a message stating that one of their messages had been directed to a device with an alternative key. To set up encryption warnings go to Settings -> Account -> Security -> Turn on Show security notifications.
An alternative option is to switch to another messaging app that uses more secure encryption, an example of which is Signal.
Photo credit: Sam Azgor