WhatsApp has been found to contain a security backdoor, allowing others to intercept encrypted messages.
In an exclusive by the Guardian, WhatsApp was found to be able to read messages thanks to the way in which the company implements its end-to-end encryption protocol. Facebook, the owner of WhatsApp, denied that messages could be intercepted however, stating that not even the company and its staff could access communications from its billion-plus users.
The security backdoor was discovered by security researcher Tobias Boelter, who told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
Boelter’s reference to keys relates to WhatsApp’s end-to-end encryption which relies on unique security keys using the Signal protocol. These keys are normally passed and verified between users in order to guarantee security and ensure that communications cannot be intercepted. WhatsApp, however, can push encryption keys offline and force senders to re-encrypt messages with new keys before resending undelivered messages. Both sender and recipient are not made aware of these key changes, with the re-encryption and resending of messages allowing WhatsApp to intercept messages.
Facebook was made aware of the backdoor vulnerability in April 2016, yet the Guardian has confirmed that the backdoor still exists.
Privacy campaigners have reacted with fury at the disclosure of WhatsApp’s backdoor vulnerability, with many saying that the fact that it exists is a betrayal of trust. Although the privacy of the one billion consumers who use WhatsApp will be the focus of this disclosure, many businesses should also be hugely concerned.
“While a lot of the focus of this latest revelation will be on the personal implications for billions of WhatsApp users, businesses should also be extremely concerned. In today’s world, many work related topics – often highly sensitive and at the highest levels are shared on the platform,” said Dr. Jamie Graves, CEO at ZoneFox.
“It now appears there has been a host of information available to anyone with the know how to get hold of it, we can only ponder as to whether any breaches have taken place and if they have what levels of sensitive data have been taken. Furthermore, the advent and soaring popularity of WhatsApp desktop, now means millions of employees actually use the software on company devices, providing a potentially open gate to highly sensitive company servers and information.”
The WhatsApp security backdoor is all the more dangerous due to its growing role as a shadow IT application, as Jason Allaway at RES, argues:
“The issue with this weakness is clear when Whatsapp is used within a business setting. In many organisations it acts as a shadow IT application – one not officially sanctioned or vetted by the organisation, but still used by staff – even perhaps the CEO.
“Many coworkers use the application on both desktop and mobile to quickly get in touch with each other and discuss issues that need urgently attending to. It’s not those pictures of your cousin’s birthday party that potential threats are interested in, but those rough financial figures you wanted to double check with accounts makes for very interesting reading.”
Backdoors have repeatedly been criticised by security pros, with 2016 seeing experts slam the UK government’s proposal to enshrine backdoors into law. Part of the Snooper’s Charter, or Investigatory Powers Bill, the government plans not to ban end-to-end encryption, but force the likes of third-party services like Apple iMessage, WhatsApp, Blackberry BBM and Cisco Spark to change their services in order to give access to enforcement agencies.
Charges levelled at WhatsApp regarding access of a backdoor to governments has been strenuously denied by a WhatsApp spokesperson.
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams.
“This claim is false.
“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”