WhatsApp backdoor? What is wrong in the last claims?

A security issue can be used to intercept and read encrypted messages. Is this a WhatsApp backdoor? Which are potential risks?

Is the popular messaging service Whatsapp affected by a backdoor? According to a blog post published by The Guardian, the application was affected by a vulnerability that could be exploited by attackers to intercept and read messages.

The issue could not be considered as a backdoor either a vulnerability, it is an issue related to the implementation of the cryptography in the app, in the specific case of user’s encryption key changes.

Even when a new key is generated, for example using a new device,  the user will be able to continue an old conversation without informing the sender of the change. Anyway, specific settings in Whatsapp can enable the notification that the sender transmitted message using a new Key.

The security issue was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.” Boelter told the Guardian

Resuming the issue is a serious threat to the users’ privacy, WhatsApp can read encrypted messages sent through the service.

The researcher reported the flaw to WhatsApp in April, but the loophole is still present.

Boelter highlights WhatsApp by default trusts the use of new key without any sender’s notification, he also remarked that the application notifies the sender of the change only after the message is sent even when that default is changed.

On the other end, the application Signal, for example, requires a sender to manually verify keys, WhatsApp doesn’t.

The notorious Moxie Marlinspike, who is considered the mind behind the encryption protocol behind both Signal and WhatsApp explained that the issue could not be considered as a backdoor.

“The fact that WhatsApp handles key changes is not a ‘backdoor,'” reads a blog post published by Moxie. “It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.”

Moxie highlighted that WhatsApp takes strict precautions to prevent its servers from knowing which users have enabled security notifications. This means that it should be impossible for attackers to gather information about potential victims that turned off the notification.

Boelter highlighted that an attacker can hack WhatApp servers and gain administrative control over them.

The attacker could force a change of the encryption key for a targeted mobile device allowing the application to use his key to encrypt messages without ever warning the receiver.

The attacker then has to take the targeted phone temporarily unavailable (for a period of hours or days). All the messages that were sent during that time will be stored in a queue and once the phone became available again, the messages will be encrypted with the new attacker key.

The attack anyway is very complex from the attacker perspective because:

• It would require the hack of a WhatsApp server.
• The attacker would have to figure out a way to make the targeted phone unavailable over the network.
• The attack wouldn’t work against encrypted messages stored on a seized phone.

Which is the WhatsApp reply?

“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.” states WhatsApp

“Ultimately, there’s little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Backdoor, hacking)