WhatsApp backdoor: "A huge threat to freedom of speech"

WhatsApp has a backdoor that could allow Facebook to intercept and read encrypted messages, it is claimed.

According to a report in The Guardian, the way WhatsApp has implemented its end-to-end encryption protocol makes it possible for the company to access private messages, at least in theory.

As the report explains, WhatsApp's encryption "relies on the generation of unique security keys", created using Open Whisper Systems' Signal protocol. These unique keys are traded and verified between users, to ensure that the lines of communication are secure from middlemen.

So far, so good. But it turns out WhatsApp also allegedly has the ability to automatically resend undelivered messages, forcing the generation of new encryption keys unbeknownst to the receiver (the sender is only notified, after the message has been re-sent, if the user has opted-in to encryption warnings in settings). Crucially, this re-encryption could allow WhatsApp or another party to generate known keys, which would allow them to intercept and read the message.

This setup is not native to the Signal protocol, which will fail to deliver a message if the security key has been changed while offline. Instead, the vulnerability is down to WhatsApp's implementation of the protocol, which automatically resends an undelivered message with a new key.

Tobias Boelter, a security researcher from the University of California, Berkeley, discovered the vulnerability, and reported it to WhatsApp's owner, Facebook, in 2016. He was later told that it was "expected behaviour", and The Guardian reported that it has been able to verify that the backdoor still exists.

"If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.

A WhatsApp spokesman denied this when approached by IT Pro, saying: "WhatsApp does not give governments a 'backdoor' into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks."

He added the suggestion that a government could force WhatsApp to give access was false, though The Guardian cited the Investigatory Powers Act's ability to require companies to remove "electronic protection" from data.

The backdoor was also verified by Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights. "WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform," he told the paper.

WhatsApp's supposed attention to information security, implementing end-to-end encryption for all messages in April last year, has made it a choice platform for dissidents, journalists and diplomats. Privacy advocates have damned this revelation of an alleged backdoor, including Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, who said the vulnerability was "a huge threat to freedom of speech".

"If you're using WhatsApp to avoid government surveillance, stop now," tweeted The Guardian's Samuel Gibbs.

"Having a security backdoor that forces the generation of new encryption keys is bad enough. But not making the recipient aware of this change is highly unethical," said Jacob Ginsberg, senior director at encryption software company Echoworx. "It calls into question the security, privacy and credibility of the entire service and the business.

"The fact that Facebook has known about this vulnerability since April is doubly damning. Not only could this be seen by many as supporting on-going government data collection interventions, it means their talk of encryption and privacy has been nothing more than lip service. The company needs to actively address its security measures."

WhatsApp's spokesman told IT Pro: "WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report."