14 DAY TRIAL // WhatsApp is believed to be one of the most secure messaging applications, considering that it has the ability to encrypt messages in conversations and its founders have said that not even they can access them. However, it seems that a backdoor allows WhatsApp messages to be disclosed.
Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, told the Guardian that “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” The cryptographer discovered the security backdoor in WhatsApp and said that Facebook and others could potentially intercept and read encrypted messages in the app.
Facebook had claimed that no one can intercept WhatsApp messages, not even company staff, but the new report seems to refute this. WhatsApp uses end-to-end encryption that generates unique security keys using the Signal protocol, created by Open Whisper Systems.
“A gold mine for security agencies”
WhatsApp provides offline users with encryption keys, and can make the sender re-encrypt messages with new keys and send undelivered messages again. The recipient isn’t notified about the change in encryption, while the sender is made aware only if they previously opted in to encryption warnings under settings and only after the messages have been re-sent. Specifically, this re-encryption method gives WhatsApp access to reading user messages.
Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, says that the backdoor is a “huge threat” to freedom of speech and “a gold mine for security agencies,” while some Twitter users warned others to stop using WhatsApp.
WhatsApp can resend undelivered messages with a new security key and thus give its staff access to them. It seems that the backdoor vulnerability isn’t linked to the Signal protocol, as Open Whisper Systems’ messaging app, Signal, doesn’t suffer from it.
Facebook is reportedly aware of the issue, as Boelter reported the issue to the company in April 2016. The company told the cryptographer that it was a known issue, describing it as “expected behavior.”
Update: WhatsApp has reached out to comment and said that this feature is not intended to be a backdoor for governments, but a convenience feature that allows users access to messages that would otherwise be lost. "WhatsApp does not give governments a "backdoor" into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."