View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 13, 2017updated 16 Jan 2017 8:36am

WhatsApp security backdoor could reveal business secrets

WhatsApp has been found to have a security backdoor - putting businesses worldwide at risk.

By Ellie Burns

WhatsApp has been found to contain a security backdoor, allowing others to intercept encrypted messages.

In an exclusive by the Guardian, WhatsApp was found to be able to read messages thanks to the way in which the company implements its end-to-end encryption protocol. Facebook, the owner of WhatsApp, denied that messages could be intercepted however, stating that not even the company and its staff could access communications from its billion-plus users.

The security backdoor was discovered by security researcher Tobias Boelter, who told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

Boelter’s reference to keys relates to WhatsApp’s end-to-end encryption which relies on unique security keys using the Signal protocol. These keys are normally passed and verified between users in order to guarantee security and ensure that communications cannot be intercepted. WhatsApp, however, can push encryption keys offline and force senders to re-encrypt messages with new keys before resending undelivered messages. Both sender and recipient are not made aware of these key changes, with the re-encryption and resending of messages allowing WhatsApp to intercept messages.

Facebook was made aware of the backdoor vulnerability in April 2016, yet the Guardian has confirmed that the backdoor still exists.

READ: What is a backdoor?

Privacy campaigners have reacted with fury at the disclosure of WhatsApp’s backdoor vulnerability, with many saying that the fact that it exists is a betrayal of trust. Although the privacy of the one billion consumers who use WhatsApp will be the focus of this disclosure, many businesses should also be hugely concerned.

“While a lot of the focus of this latest revelation will be on the personal implications for billions of WhatsApp users, businesses should also be extremely concerned. In today’s world, many work related topics – often highly sensitive and at the highest levels are shared on the platform,” said Dr. Jamie Graves, CEO at ZoneFox.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“It now appears there has been a host of information available to anyone with the know how to get hold of it, we can only ponder as to whether any breaches have taken place and if they have what levels of sensitive data have been taken. Furthermore, the advent and soaring popularity of WhatsApp desktop, now means millions of employees actually use the software on company devices, providing a potentially open gate to highly sensitive company servers and information.”

The WhatsApp security backdoor is all the more dangerous due to its growing role as a shadow IT application, as Jason Allaway at RES, argues:

“The issue with this weakness is clear when Whatsapp is used within a business setting. In many organisations it acts as a shadow IT application – one not officially sanctioned or vetted by the organisation, but still used by staff – even perhaps the CEO.

“Many coworkers use the application on both desktop and mobile to quickly get in touch with each other and discuss issues that need urgently attending to. It’s not those pictures of your cousin’s birthday party that potential threats are interested in, but those rough financial figures you wanted to double check with accounts makes for very interesting reading.”

Backdoors have repeatedly been criticised by security pros, with 2016 seeing experts slam the UK government’s proposal to enshrine backdoors into law. Part of the Snooper’s Charter, or Investigatory Powers Bill, the government plans not to ban end-to-end encryption, but force the likes of third-party services like Apple iMessage, WhatsApp, Blackberry BBM and Cisco Spark to change their services in order to give access to enforcement agencies.

Charges levelled at WhatsApp regarding access of a backdoor to governments has been strenuously denied by a WhatsApp spokesperson.

“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.

“This claim is false.

“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.