Facebook's WhatsApp has dismissed a charge that its application contains a backdoor that could be used to unlock encrypted messages. Security experts, meanwhile, say that any attempt to target the potential vulnerability would require a relatively far-fetched attack, and they say the issue poses a scant privacy risk to the vast majority of users.
WhatsApp implemented end-to-end encryption in its instant messaging application in April 2016. The move was part of a wave of efforts by technology companies to counter aggressive signals intelligence collection operations revealed by former National Security Agency contractor Edward Snowden.
"Trade-offs have to be made between convenience and security, and one of those is what WhatsApp is being called out on."
Ensuring only the sender and recipient can decrypt a message is no easy technological feat, particularly in the mobile device age. Trade-offs have to be made between convenience and security, and one of those is what WhatsApp is being called out on.
The kerfuffle kicked off with a story in the Guardian headlined "WhatsApp vulnerability allows snooping on encrypted messages." It's based on research from Tobias Boelter, a doctoral student at the University of California, Berkeley.
In April 2016, Boelter claimed to find a weakness that could allow an attacker to intercept and decrypt WhatsApp messages. Although such issues would customarily be privately reported to companies in order to not tip off attackers, Boelter went public with a blog post.
What Boelter claims is a security vulnerability hasn't been fixed. The issue was then resurrected in the Guardian story, which heralded it as a risk to people's privacy. Experts, however, say the issue is more nuanced.
Public Key Crypto
WhatsApp uses public key cryptography to exchange messages. A sender uses the recipient's public key to encrypt a message, and the recipient uses their private key to decrypt it.
A so-called man-in-the-middle attack occurs when a hacker manages to trick a sender into using his public key instead of that of the recipient. Intercepted messages can be decrypted and read.
To solve this problem, senders and recipients can verify each other's public keys. This gets more complicated on mobile devices, however, as new keys are generated when someone reinstalls an app or gets a new phone.
If a recipient is offline, WhatsApp will store a cache of messages until the person comes back online. If the recipient has a new public key, WhatsApp will encrypt to that key. It means that some new messages are transmitted before the two parties can verify public keys again. Past messages, however, would still be safe.
WhatsApp is based on the same encryption protocol as another popular secure messaging application, Signal. Signal handles such a scenario differently, though: By default it doesn't allow the messages encrypted with the new key to go through until the sender is confident there's no man-in-the-middle attack underway.
WhatsApp does have a security setting that will stop messages from being transmitted if a recipient's public key has changed. But it's not active by default. And it only warns senders after a few of the cached messages have been sent.
Expert Weighs In
Despite the controversy, the different approaches between Signal and WhatsApp are understandable, says Moxie Marlinspike, the renowned cryptographer who helped develop the Signal Protocol. WhatsApp has 1 billion users, and it was designed to be an incredibly secure environment, but also to not entangle users in the technical minutia of secure communications.
Marlinspike contends that allowing cached messages to be delivered - even while a related warning gets displayed that there could be a related threat of a man-in-the-middle attack - is far from being a backdoor.
"Given the size and scope of WhatsApp's user base, we feel that their choice to display a non-blocking notification is appropriate," Marlinspike writes in a blog post. "It provides transparent and cryptographically guaranteed confidence in the privacy of a user's communication, along with a simple user experience."
A successful attack would not be trivial to execute. An attacker would have to gain control of the victim's phone number. That is far from impossible, but operators have strengthened their verification procedures to repel rogue attackers from filching someone's number.
In an alternative scenario, a hacker could compromise WhatsApp's servers in order to substitute the victim's public key for his own. Computer security experts say this is a potential problem with some end-to-end encryption schemes, including Apple's iMessage, which index public keys to connect users.
Much Ado About Nothing?
Facebook was rightly commended for using world-class cryptography in WhatsApp, which moved hundreds of millions of users into a much more secure and private communications system.
But different users have different security requirements. While most people probably aren't bothered by a niche risk such as this, others may need to be as secure as absolutely possible. That's why it's important to look at the details of how a service implements cryptography before choosing a platform.
The issue here is far from a backdoor, but it may help people to better select just how much risk they want to tolerate. For activists working from within oppressive regimes in particular, just one mistake or inadvertent use of compromised software can lead to their identities being unmasked. For anyone who fears they may be so targeted, they may want to take every possible precaution, especially when it comes to their choice of messaging technology.