The security of the Facebook-owned WhatsApp messaging service may not be as strong as previously believed, with a reported discovery of a backdoor that potentially allows Facebook see the contents of encrypted messages [updated with statement from WhatsApp].
WhatsApp has used end-to-end encryption on all communications between its users since April last year, with one-on-one messages encrypted by default since 2014. The app uses the Signal protocol from Open Whisper Systems to handle the encryption process, a protocol that Facebook's own Messenger app also employs.
Usually, unique security keys are traded between the users to confirm the communications are secure before sending messages. University of California cryptography and security researcher Tobias Boelter told The Guardian WhatsApp is capable of forcing apps to create new encryption keys for offline users.
Once new keys are created, the sender's app can be made to re-encrypt unreceived messages and resend them, allowing messages to be read once intercepted.
The users are not necessarily aware of the change in security keys, as the message sender would be notified if they had enabled encryption warnings in the app's settings. Message recipients are not warned of the changed key by the app at all.
The potential Whatsapp backdoor is of grave concern to privacy advocates, due to the possibility of governments leveraging it to monitor communications between persons of interest.
WhatsApp responded to the allegations with the following statement:
"The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a 'backdoor' allowing governments to force WhatsApp to decrypt message streams. This claim is false.
"WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."
Boelter informed Facebook of the backdoor vulnerability in April 2016, with Facebook replying that it was aware of the issue, it was "expected behavior" for the app, and it wasn't being worked on by the social network. The report has verified the backdoor continues to exist in the most recent releases of the app.
A spokesperson for WhatsApp responded to the report, noting the security notifications options in the settings menu, by suggesting it is there as a matter of convenience.
"We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp," the representative claims. "This is because in many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people's messages are delivered, not lost in transit."
The potential backdoor is of grave concern to privacy advocates, due to the possibility of governments leveraging it to monitor communications between persons of interest. When asked if the backdoor had been used to access messages, and if it was done on the orders of a government agency, the WhatsApp spokesperson directed the publication to Facebook's Government Requests Report.
Co-director and founder of the Centre for Research into Information, Surveillance, and Privacy, calls the backdoor "a goldmine for security agencies" and a "huge betrayal of user trust." Open Rights Group executive director Jim Killock said that companies claiming to offer end-to-end encryption "should come clean if it is found to be compromised - whether through deliberately installed backdoors or security flaws."
Governments and security agencies have wanted access to encrypted communications in messaging apps for quite a while, with end-to-end encryption becoming more of a reason to use certain apps than ever before.
Apple's iMessage uses end-to-end encryption to protect messages, preventing it from reading the content at all. Apple has however acknowledged it periodically uploads metadata for a message, including phone numbers, dates, and times, with law enforcement able to subpoena the company for access to that information.