A backdoor in WhatsApp encryption implementation has been discovered by a security researcher that could allow entire conversations to be intercepted and read. The security backdoor can be used to allow the company to intercept and read encrypted messages.
Since the implementation of end-to-end encryption in WhatsApp messaging, Facebook claims “security by default” in WhatsApp. It is claimed by the company that no one can intercept WhatsApp messages, neither any middle-man not the company and its staff.
New research reflects different facts. The research shows that the company could, in fact, read messages due to a flaw in the implementation of its end-to-end encryption protocol.
The security backdoor in WhatsApp encryption implementation was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.
Signal Protocol is used for end-to-end encryption in WhatsApp
WhatsApp’s end-to-end encryption relies on the generation of unique security keys that are verified between users to guarantee communications are secure and cannot be intercepted by a middleman. It generates the key using the Signal protocol, developed by Open Whisper Systems.
However, the research elaborates that unknown to the sender and recipient, WhatsApp has the ability to generate a new encryption key for the offline recipient.
That simply means WhatsApp can actually intercept the message sent to any recipient who is offline, read user’s message, re-encrypt the message and at last, can release the message to the recipient once he/she comes online.
The recipient is not notified of the Security Key change
During this interception process, the recipient is not made aware of this change in encryption, while the sender is only notified of encryption key change. This is also possible only if the user has turned on the setting to receive notifications when a contacts security code has changed.
The flaw does not reside in the ‘Signal’ protocol. The security flaw is due to the way Signal protocol is implemented in WhatsApp. The same protocol is also used by another secure messaging app named ‘Signal’ which does not suffer from the identified vulnerability. In Signal App, if a recipient changes the security key while offline, for instance, a sent message will fail to be delivered.
Security researcher Boelter asserted that ‘using the retransmission vulnerability, the WhatsApp server can snoop and get a copy of the whole conversation, not just a single message.”
However, this vulnerability doesn’t allow any ‘outside’ hacker to snoop the conversation between a sender, recipient other than the company itself. The researcher said, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
However, In a statement, a WhatsApp spokesperson ridiculed the researcher’s claim of security flaw. The spokesperson asserted that “security code changes mainly because someone has switched phones or reinstalled WhatsApp. This is because, in many parts of the world, people frequently change devices and sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”