WhatsApp has a backdoor that allows snooping on end-to-end encrypted messages [updated]

In 2016, WhatsApp finally enabled complete end-to-end encryption for both chats and video calls to ensure that no one but the intended recipient can decipher contents of their communications. Unfortunately, it’s come to light that WhatsApp’s system has been plagued by a major vulnerability which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.

In an interview with the British newspaper The Guardian, Boelter said the backdoor could let Facebook read end-to-end encrypted content, meaning the social network could be complied with court orders to make decrypted messages available to law enforcement and other government agencies

UPDATE: We’ve received a response from WhatsApp regarding the alleged backdoor.

A WhatsApp spokesperson provided the following statement to iDownloadBlog, explaining why The Guardian’s claim of potentially compromised security is false.

The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.** This claim is false.**

WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.

WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report. (https://govtrequests.facebook.com/)

Encryption utilized by WhatsApp is based on Open Whisper Systems’s Signal protocol.

What’s suspicious here is that the same vulnerability is not present in the Signal app. Boelter has confirmed that the vulnerability basically permits WhatsApp to change encryption keys for offline users. As a result, any unsent or future messages would be sent with a new encryption key without the recipient realizing it.

The sender is only notified if they have opted-in to encryption warnings in WhatsApp’s settings, but only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

Contrast this to the aforesaid Signal system which notifies the sender of any change in security keys without automatically resending the message. In fact, a message won’t be delivered via the Signal app if a change in the encryption keys occurs.

Boelter reported the issue to Facebook in April 2016 only to be told that this was “expected behavior,” raising suspicion that this could be a deliberately created backdoor rather than be an engineering oversight or a bug of some sort.

More worryingly, The Guardian has verified that the backdoor still exists today.

Privacy campaigners have criticized the development as a “huge threat to freedom of speech,” saying it could be exploited by government agencies. The existence of a backdoor within WhatsApp’s encryption is “a gold mine for security agencies” and “a huge betrayal of user trust,” said Kristie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy.

At any rate, Facebook should definitely come clean on whether or not WhatsApp’s end-to-end encryption has been compromised. And if so, the inevitable question arises: has Facebook been compelled by a third party to build a backdoor in WhatsApp?

Facebook declined comment, but we’ll update the article if and when they do.

Source: The Guardian