Update, 1/20/17: A post on the Technosociology blog signed by dozens of security experts calls for a Guardian retraction and apology. This article has been updated to reflect this.
When Facebook’s WhatsApp turned on end-end-end encryption in its messaging service last year, it was a big deal. As all eyes were glued on Apple’s fight with the FBI over unlocking the San Bernardino shooter’s iPhone, WhatsApp took a huge step toward protecting its users’ privacy by moving to encrypt all messages and calls being sent between its apps.
But a new report suggests it might not be as secure as users think. According to The Guardian, a serious vulnerability in WhatApp’s encryption could allow Facebook to intercept and read messages unbeknownst to the recipient, and only aware of by the sender if they have previously opted in to receive encryption warnings. The security flaw, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, can “effectively grant access (to users’ messages)” by changing the security keys and resending messages.
“WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … to guarantee communications are secure and cannot be intercepted by a middleman,” the paper wrote. “However, WhatsApp has the ability to force the generation of new encryption keys for offline users … and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.”
While there is no evidence to suggest WhatsApp has used the flaw to surreptitiously intercept messages, Boelter says he reported the vulnerability to Facebook back in April 2016 but was informed that it was “expected behavior.” According to The Guardian the security flaw, which still exists in the latest version of the service’s encryption, is exasperated by WhatsApp’s habit of automatically resending undelivered messages without authorization by the user.
However, there is mounting evidence to suggest The Guardian’s claims are overblown and even unfounded. According to the Whatsapp website, end-to-end encryption is always activated when using the service, and there is no way to turn it off. Additionally, each conversation has its own optional verification process that can be used to verify that calls and messages are end-to-end encrypted.
In a statement provided to Greenbot, WhatsApp defended the “intentional design decision” and slammed The Guardian’s characterization of it as false: “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
Additionally, a group of security experts signed a post on Technosociology.org titled, “A Plea for Responsible and Contextualized Reporting on User Security.” In the letter, they compare The Guardian’s report to publishing a headline that reads “Vaccines kill people.” “While it is true that in a few cases, vaccines kill people through rare and unfortunate side effects, they also save millions of lives,” they write.
In a lengthy post, the experts conclude that The Guardian’s report uncovered “a small and unlikely threat,” and explains in great detail how WhatsApp’s “behavior around key exchange when phone or SIM cards are changed is an acceptable trade-off if the priority is message reliability.” They urge The Guardian to retract the story and apologize to readers, many of who “are switching to SMS and Facebook Messenger, among other options—many services that are strictly less secure than WhatsApp,” they experts claim.
The impact on you at home: Hopefully, there is none. While the flaw in WhatsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised. That being said, it’s not a bad idea to head over to your account’s security settings and turn on the Show security notifications toggle.
This story, "WhatsApp vulnerability could expose messages to prying eyes, report claims" was originally published by Greenbot.