The headline in the Guardian last week was certainly eye-catching: “WhatsApp vulnerability allows snooping on encrypted messages.” The allegation was that a newly discovered flaw could allow messages you’d sent to a known and confirmed party through a highly secure method could be replayed, or sent again to other parties that could insert themselves as trusted recipients.
It turns out, almost none of this is accurate or represented in a way that will help WhatsApp users improve their security. This doesn’t mean that WhatsApp is created perfectly (nor do I allege the Guardian have an agenda). A few months ago, I explained how to configure WhatsApp to be as secure as possible, because defaults and prompts made it more likely that you could have your messages intercepted by criminals or by mass or targeted surveillance from security agencies. For example, the app encourages you to backup your messages on a server, which removes the end-to-end encryption protection of the messaging system; you have to know to say no.
WhatsApp remains robust and nearly the gold standard if set up in the way that security experts recommend and I documented. But the flaw cited is rather a feature of sorts, revealing information to users about changes in the cryptographic environment. The biggest downside is educating those who rely on WhatsApp on how to pay attention to alerts to avoid being taken in.
Backdoors, flaws, and features
The Guardian story erred first in calling this “new” research and marking its story as “exclusive”; these errors remain in the version I’m looking at while writing this column. I contacted the researcher who first explored the security issues, Tobias Boelter. He said via email, “The issue has been published on my blog in April 2016, but only today the public media started reporting on it, with the Guardian taking the lead.” It’s not new or exclusive, nor was it previously private. (Boelter maintains it’s a flaw, potentially exploitable by governments, and should be fixed.)
Second, the article labeled it a backdoor, which it isn’t. The original headline (which you can see if you look at the URL) used the term “backdoor,” which also appears in the article a few times. A backdoor is an intentional hole built into software to allow untracked access without participants’ consent of details assumed to be confidential or secure by the users of the system. Security researcher Jonathan Zdziarski, the developer of Little Flocker, goes into greater depth in a white paper defining the term backdoor precisely.
One would have to find a separate entry point in WhatsApp’s infrastructure that allowed a party other than those in a conversation to insert themselves with a new device at will: that entry point would be a backdoor, but not the behavior in question, which is a man-in-the-middle (MitM) that the system correctly identifies.
Finally, the scope of the problem as described in the article is too broad and not fully technically accurate; even Boelter’s original post makes it sound as if there’s a wider scope of exploitation, though he correctly illustrates what interaction occurs and when. In fact, there’s a very limited opportunity for a malicious party to gain access to any information.
Let’s break down how you can improve your security with WhatsApp by looking at how the purported flaw shows up.
With WhatsApp, you establish a trust relationship with other parties with whom you communicate. The best recommendation, as I note in an April 2016 column, is to confirm each other’s secret numbers in person or by voice—or any method except within WhatsApp. Once that’s in place, you have a cryptographic lock on your communications with that person.
If that person changes phones, through loss, damage, upgrade, or whatever reason, as long as you have Security Notifications turned on, you’ll be warned in the conversation and advised to re-verify. (In iOS, go to WhatsApp’s Settings view, tap Account > Security, and then make sure Show Security Notifications is turned on.)
What Boelter noted in April and reported to Facebook is that there’s sliver of opportunity for untransmitted messages to be intercepted by a party that gains access to a WhatsApp user’s registered phone number. Here’s the sequence:
- One or more messages can’t be delivered. They’re shown with a single checkmark in the sender’s copy of WhatsApp. All delivered messages to verified recipients appear with blue double-checkmarks.
- A malicious party obtains access to the phone number registered with the recipient’s WhatsApp’s account and uses another device before the intended recipient comes back online and can receive the unsent messages.
- The malicious party receives those messages, and the WhatsApp sender gets a notification that the recipient’s key has changed.
Messages previously delivered sent aren’t retransmitted. Only messages in queue are sent at all (and marked with double gray checkmarks). And the sender is notified. An attacker without a security apparatus with a number of agents poised to act would be hard-pressed to ensure simultaneously that the receiver was offline, they could grab access to the phone number, and the recipient was poised to send a useful message that could be intercepted. (It is true that phone numbers and SMS aren’t secure, and criminals and governments can re-point someone’s phone number to another phone or intercept and send text messages.)
The security notification also gives away the game: the interceptor has just revealed they’re an MitM, and in such a way that the sender can alert other people, the media, law enforcement, or whomever, because the sender has to be online for this to occur. With a backdoor, such a notification would be suppressed.
WhatsApp uses the Signal Protocol, designed by Open Whisper Systems, which has its own messaging app, Signal (free). In the Signal app, queued messages aren’t sent in that case; a user is alerted and has to accept the potential consequence or re-verify to move on. People likely to be targeted at a “retail” level (one at a time) are unlikely to rely on WhatsApp, and rather on Signal; people concerned about “wholesale” interception, such as the alleged wide-scale data collection in place in many countries, don’t have a vulnerability here, and will find most of their friends and colleagues already using WhatsApp or an easy sell to join it. (Open Whisper’s co-founder, Moxie Marlinspike, wrote a blog post about the Guardian story as well.)
And just by the way, a much broader vulnerability exists in Apple’s iMessage, as Apple uses centralized key management that isn’t exposed to users. Researchers have warned for years, most recently in a March 2016 security examination that revealed a number of more minor flaws, that such centralization could allow interception through a successful attack on infrastructure or through secret government edict. Were iMessage subverted, its users would never know that other parties were reading their messages.
Pay attention to the fiddly details
The upshot isn’t that the Guardian got the details and impact of the story wrong, though the newspaper did. Rather, it’s that you can keep your security game strong by paying close attention to warnings and alerts designed for that purpose:
- Ensure Show Security Notifications is on.
- Verify all contacts before starting conversations.
- Re-verify contacts whenever you see a message that that a recipient’s security code has changed.
- If you can’t re-verify, alert everyone you can connected with your communications or the recipient immediately.
If you need to be absolutely sure that any arbitrary message you send (“pick up a gallon of milk”) when a recipient is offline has zero possibility of being received by an unverified party instead of a vanishingly small one, use Signal (which is free) and convince your friends to use it as well.
WhatsApp could add a switch to disable transmitting without verifying first, which would defuse this complaint. But this was a lot of hand waving about something that doesn’t represent much in effect.