14 DAY TRIAL // Last week, there was talk about a supposed vulnerability in WhatsApp, one that could potentially compromise messages sent through the platform. Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, discovered the “backdoor.”
He found that Facebook and WhatsApp could potentially intercept and read encrypted messages sent within the app. The vulnerability could compromise information sent through the network, despite the fact that WhatsApp uses end-to-end encryption. The cryptographer recently gave an interview to The Guardian explaining the issue.
Every user has a secret and a public key, and the latter is used for encrypting messages that can be made readable again with the associated secret key. WhatsApp stores the recipient’s public key on its central server, while allowing the app to download public keys of contacts automatically.
In this whole process, WhatsApp could potentially give the user a public third-party key, instead of the recipient’s. In addition, if the recipient changes their phone or reinstalls WhatsApp, they get new public keys for contacts and unread messages are sent again automatically, without giving the user the option to revalidate them. Simplified, this means that all “in transit” messages are sent with the new potentially compromised key.
Facebook said it was expected behavior inside the app
Tobias Boelter posted two videos on YouTube demonstrating the “backdoor,” as he calls it. One video shows WhatsApp’s vulnerability with encrypted messages, while the other deals with voice calls.
On the other hand, WhatsApp has issued statements claiming that the “backdoor” is actually an intentional design decision for millions of messages to be delivered to their intended recipients. Open Whisper Systems, the developer of WhatsApp’s encryption protocol, has backed up WhatsApp’s story. Open Whisper Systems also developed Signal messaging service, used by many whistleblowers.
The cryptographer did inform Facebook about his discovery back in April 2016, but he was told that it was an expected behavior inside the app. Whether this is actually a major vulnerability or not is open for debate, but through these videos Tobias Boelter did manage to demonstrate how the supposed “backdoor” works.
