No backdoor in WhatsApp, say experts
Encryption experts have roundly rejected a report asserting that a security vulnerability has been found in the popular messaging app WhatsApp that could allow owner Facebook and others to snoop on messages sent through the service.
The Guardian last week reported on a claimed discovery by a University of California, Berkeley researcher that WhatsApp has the ability to circumvent encryption protocols to allow messages to be sent to another user.
WhatsApp uses Open Whisper Systems’ Signal protocol to ensure end-to-end encryption of sent messages. But the report claimed WhatsApp can force the generation of new encryption keys for offline queued messages, and have the sender re-encrypt messages using the new keys and resend them.
The report claims this feature could be used as a backdoor for WhatsApp, governments and malicious parties to intercept messages.
But in a blog post, Open Whisper founder Moxie Marlinspike rejected claims there is a WhatsApp backdoor, stating that the process described in the Guardian article is not a bug, but simply the way encrypted communications work.
If a user changes devices or simply reinstalls WhatsApp, his or her identity key pair will change, requiring the generation of a new key for conversations with other users, Marlinspike said.
Without the functionality described in the article, ongoing conversations would be disrupted when the keys change, which would reduce WhatsApp’s usability particularly in developing markets, where users frequently switch SIM cards.
WhatsApp also includes an optional setting designed to notify users when encryption keys change. WhatsApp clients have also been designed so that servers have no knowledge of whether this setting has been activated.
As a result, Facebook and WhatsApp would not be able to man in the middle conversations without risking being caught and governments would be reluctant to force the company to do so for surveillance processes because it would risk alerting targets that an investigation is taking place.
Criminals would likewise not be able to exploit the setting without seizing control of a WhatsApp server or telecoms network, an improbable feat.
Even if the loophole could be exploited, it could only be used to view the contents of messages in transit, not any past conversations, Marlinspike said.
“The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a ‘double check mark’, it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.”
In a tweet, former lead developer for Signal Frederic Jacobs, now working at Apple, likewise dismissed the report. “It’s ridiculous that this is presented as a backdoor. If you don’t verify keys, authenticity of keys is not guaranteed. Well known fact,” he wrote.
Secure-by-design software development for digital innovation
The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...
Bolstering AI-powered cybersecurity in the face of increasing threats
The escalation of complex cyber risks is becoming a pressing issue for those in business...
How attackers are weaponising GenAI through data poisoning and manipulation
The possibility for shared large language models to be manipulated through data poisoning...
