On Jan. 13, The Guardian published a lengthy report alleging the presence of a “security backdoor” in messaging platform WhatsApp. According to story, a WhatsApp security flaw allows Facebook to intercept encrypted chats, and could be used by government agencies to snoop on users’ messages.
The presence of such a loophole would be a bombshell for Facebook-owned WhatsApp, whose users expect robust and impenetrable security. WhatsApp is often used by activists and dissidents in countries whose governments attempt to block messaging as a means of suppressing criticism and discouraging protests.
Except what The Guardian characterized as a “security backdoor” is, in fact, a known aspect of WhatsApp’s encryption tools. As Gizmodo reported several hours after the Guardian story, the “supposed backdoor…is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone’s encrypted messages, something the company is extremely unlikely to do.” Security researcher Alec Muffett described the Guardian’s story to Gizmodo as “major league fuckwittage,” and Frederic Jacobs, an encryption expert who worked on the Signal encryption protocol used in WhatsApp and other messaging apps, said much the same on Twitter:
WhatsApp’s end-to-end encryption secures messages with a digital lock that only the user and the sender are supposed to be able to unlock—”nobody in between, not even WhatsApp,” reads an explanation on the chat platform’s website. Once activated, encryption is always on, and each message is again protected by a unique lock and key. The Guardian’s story notes that the app also has the ability to generate a new set of keys for messages that have not yet been delivered—something that generally occurs if one user is offline, or if someone is midway through getting a new phone. The Guardian says that means messages could be intercepted, re-encrypted and then delivered to a third party, unbeknownst to the original sender and recipient.
Tobias Boelter, a German computer scientist currently getting his PhD at the University of California, Berkeley, says he discovered the “backdoor” in April 2016, and reported it Facebook shortly thereafter. On his blog, Boelter describes the vulnerability like this:
Alice encrypts her messages with the public key she has received from Bob. But this key is sent through the WhatsApp servers so she can not know for sure that it is actually Bob’s key. That’s why they use a secure channel (the physical channel) to verify this. Now, Alice sends a message to Bob. And then another message. But this time this message does not get delivered. For example because Bob is offline, or the WhatsApp server just does not forward the message. Now the attacker comes in. He registers Bob’s phone number with the WhatsApp server by attacking the way to vulnerable GSM network, putting WhatsApp under pressure or by being WhatsApp itself.
While all that is technically possible, it’s still hard to do. And the same vulnerability that makes the above remotely feasible also makes WhatsApp easier to use for people around the world. Without WhatsApp facilitating the exchange of cryptographic information, users would need to use an additional service or method to share keys when beginning secure communications or transferring them to another device. As an alternative, the app allows its users to verify in person the keys of their contacts after they’ve been exchanged over the internet.
When asked for comment, WhatsApp described The Guardian’s claims as false, and pointed out that its implementation of the Signal protocol includes a “Show Security Notifications” setting that, when selected, notifies a user anytime one of their contacts’ security code has changed. Most likely, that change would be due to a user changing phones or reinstalling the app.
“WhatsApp does not give governments a ‘backdoor’ into its systems, and would fight any government request to create a backdoor,” the company told Quartz in an email. “The design decision referenced in The Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”