Google wants to make encryption easier for everyone
January 17, 2017
Google makes ADB, fastboot, and other platform tools available without full SDK or Android Studio download
January 17, 2017

Security backdoor found in end-to-end encryption system used in WhatsApp

time
weddingdress
hospital
shopping
auto
game
desk
rock
office
paypal
book
diplomcay
care
sport
clothes
cosmetic
dentist
marketing
architecture
searchengines
book
time
party
weddingdress
hospital
shopping
auto
desk
rock
office
paypal
diplomcay
care
sport
clothes
book
time
party
weddingdress
hospital
baby
bag
chinese
fat
film
gaming
hbo
hot
ice
mouse
time
weddingdress
hospital
shopping
auto
game
desk
rock
office
paypal
book
diplomcay
care
sport
clothes
cosmetic
dentist
marketing
architecture
searchengines
book
time
party
weddingdress
hospital
shopping
auto
desk
rock
office
paypal
diplomcay
care
sport
clothes
book
time
party
weddingdress
hospital
baby
bag
chinese
fat
film
gaming
hbo
hot
ice
mouse
baby
bag
chinese
fat
film
gaming
hbo
hot
ice
mouse
music
novel
red
rock
science
sexy
show
sports
study
train
weight
wow
auto
book
care
clothes
desk
diplomcay
hospital
office
party
paypal
rock
shopping
sport
time
weddingdress
baby
bag
chinese
fat
film
gaming
hbo
hot
ice
mouse
music
novel
red

A security researcher has found a backdoor in the end-to-end encryption system used by the WhatsApp messaging service. The vulnerability would allow Facebook to read messages sent through the supposedly-secure system, as well as making it possible for the company to comply with court orders to make messages available to government bodies.

While end-to-end encryption would normally mean that not even the company operating the service can decrypt messages, only the intended recipient, the specific implementation used in WhatsApp includes a major security hole …

The Guardian reports that Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, discovered that WhatsApp has the ability to force a change of encryption key whilst offline. Any unsent messages would then be transmitted with the new key. With the default app settings, neither sender nor recipient would have any way to know that this had happened.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

Although WhatsApp is based on the Signal protocol created by Open Whisper Systems, the same vulnerability does not exist in the Signal app, raising questions about how it came to be present in WhatsApp – and whether that was an oversight or a deliberate act.

[In Signal], if a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

More worryingly still, when Boelter reported the issue to Facebook back in April of last year, he was told that it was ‘expected behaviour.’

Update: WhatsApp has again confirmed that its approach is deliberate.

The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false.

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor.  The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.  WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook

However, the Guardian did not claim that WhatsApp ‘gave governments a backdoor,’ only that the company could access messages, and would therefore be able to do so for governments when faced with a court order. Notably, WhatsApp’s own security page claims that is is unable to do this (bold text is our emphasis):

WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp.

With both US and UK governments able to intercept data from the entire population of their country, without any suspicion of criminal activity being required, privacy campaigners have said that the backdoor is a huge deal.

Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the existence of a backdoor within WhatsApp’s encryption “a gold mine for security agencies” and “a huge betrayal of user trust” […]

Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that technical capability notices could be used to compel companies to introduce flaws – which could leave people’s data vulnerable.”

Facebook refused to comment on whether it had used the backdoor to access messages, or whether any such access was performed at the request of government agencies. The company had already come under fire for collecting data from WhatsApp users after its acquisition of the service.

WhatsApp is commonly used by whistleblowers and campaigners in countries with poor records on human rights. Anyone concerned about the privacy of their messages would seem to be well advised to use iMessage or Signal instead of WhatsApp.

A much less serious vulnerability was previously discovered in WhatsApp, with the same issue present in iMessage, but that one would require either unlocked access to one of your devices, or access to your iCloud backup.

Leave a Reply

Your email address will not be published. Required fields are marked *