WhatsApp vulnerability allows spying on encrypted messages; privacy campaigners worried

WhatsApp is one of the most popular messaging apps in India. Globally it has over a billion plus users. WhatsApp is also one of the messaging apps to have end to end encryption. But according to a latest report in The Guardian, Facebook can read WhatsApp messagesdue to the way the end to end encryption protocol has been implemented.

A security backdoor which allows not just Facebook, but others as well to read the encrypted messages has been discovered in WhatsApp. Privacy campaigners have stated that this backdoor is a huge security threat to the freedom of speech. Also they have warned that government agencies could snoop in on conversations.

Ever since WhatsApp announced that it will be using end to end encryption, it has been used by a lot of activists, dissidents as well as people across different stratas of the society. WhatsApp uses the Signal protocol for implementing its end-to-end encryption. This protocol has been developed by Open Whisper Systems. In this security keys are exchanged between the users to guarantee that the communication is secure. This is to ensure that there can be no snooping, as you need to decrypt the message to read its contents. Till this point everything is fine.

But the report states that WhatsApp has the ability to force the generation of new encryption keys when users are offline. This is not known the to sender and the receiver of the message. The sender is then prodded on to resend the message using these new keys and send them again to the receiver for any messages that have not gone through, or you haven’t got any blue ticks, to indicate that the message has been delivered. The user does not have any advance warning or any chance to prevent sending such a message.

READ  WhatsApp rolls out ‘Two-Step Verification’ why it is important

While the receiver is not aware of the change in encryption, the sender is notified only if they have opted-in for encryption warnings in the settings menu. This re-encryption and resending messages makes them vulnerable to be intercepted.

This is not to say that the Signal protocol is at fault. Far from it. The Signal app, endorsed by none other than NSA whistle-blower Edward Snowden, does not have this issue. If the recipient changes the encryption keys when offline, then the receiver will not get the message. Following which the sender will be notified of the changed keys. There will no automatic resending of the message.

Cryptography and research expert from the University of California, Tobias Boelter, discovered this backdoor, said that if the government asks WhatsApp to submit data, WhatsApp could grant access for messages where encryption keys changed. This could be used against anti-establishments activists or protestors. Boelter claims he had updated Facebook about the backdoor vulnerability back in April 2016, which Facebook dismissed as ‘expected behaviour’.

According to Boelter, this vulnerability could be used to snoop on not just individual messages but entire conversations. “WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message,” said Boelter.

According to Professor Kirstie Ball, founder of Centre for Research into Information, Surveillance and Privacy, the existence of the backdoor is a ‘goldmine for security agencies’. “Consumers will say, I’ve got nothing to hide, but you don’t know what information is looked for and what connections are being made,” said Ball.

READ  Facebook’s ‘Future of Business Survey’ finds that SMEs in India are quite positive about their future

A WhatsApp spokesperson told Guardian that WhatsApp believes that people’s communication must be secure and private. The spokesperson pointed out that in WhatsApp’s Signal protocol implementation, there is a ‘Show Security Notifications’ setting (Settings > Account > Security) which notifies when a contact’s security code has changed. “We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit,” said the spokesperson.