Skip to main content

Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug!

What is a backdoor?

By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not.

Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication.

The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp.

Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited :)

What's the Issue:


The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes.
WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change.


In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding.
Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing."

What Experts argued:


According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration."

Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp."

A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor."

What's the fact:

Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats.

What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed.

Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment."
What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO!

No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption.

As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly.

Then Why Signal is more Secure than WhatsApp?


You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor."

It's because there is always room for improvement.

The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender.

And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered.

So, here WhatsApp chose usability over security and privacy.

It’s not about 'Do We Trust WhatsApp/Facebook?':


WhatsApp says it does not give governments a "backdoor" into its systems.

No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users.

But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access.

Why 'Verifying Keys' Feature Can't Protect You?

whatsapp-security-code-verify-keys
WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number.

But here’s the catch:

This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this.

WhatsApp Prevention against such MITM Attacks are Incomplete


whatsapp-security-notifications
WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings.

But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense.

Have you received a notification indicating that your contact's security code has changed?

Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually.

The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys.

What WhatsApp should do?


Without panicking all one-billion-plus users, WhatsApp can, at least:

  • Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so).
  • Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users.

...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it.

Comments

Post a Comment

Popular posts from this blog

WhatsApp Now Lets You Pin Your Favourite Chats on Top

HIGHLIGHTS The feature is still being tested in the Android beta The latest WhatsApp beta lets you pin chats on top A maximum of three chats can be pinned WhatsApp has  reportedly  been testing many new features recently to make chats more fun and convenient, and another such feature has come to light. The new  WhatsApp  feature allows users to pin conversations with their favourite contacts to the top to the Chats tab. The new feature is being tested on Android for now, but is expected to roll out to stable versions of the app soon. Android Police was the first one to  spot  the new WhatsApp pinning feature, and if you're running WhatsApp beta for Android versions 2.17.162 or 2.17.163, you'll most likely be able to use it. Press on the individual/ group chat you want to pin to the top, and choose the Pin symbol from the top bar. The other options alongside  Pin  are  Delete ,  Mute , and  Archive . Once you pin a chat, it will remain on the top of your
Post a Comment
Read more

WhatsApp adds GIF search through Giphy, raises maximum media sharing limit from 10 to 30

WhatsApp's ability to send GIFs in different forms and ways has been rolling out super slowly. First we could  convert videos and share them as GIFs , then the beta app let us  share GIFs saved on our devices , then the Web client added support for GIF search and insertion, and now finally the last piece of the puzzle is here: we can now search for, choose, and send GIFs from the WhatsApp app on our Android phones, no need for a separate Giphy client, the GBoard app, or to have the GIFs saved on our phones beforehand. The function shows up when you tap the emoji button in WhatsApp's text box. There's a new bottom bar that lets you switch between emoji to GIF. You can then scroll through popular GIFs and insert them right away or search Giphy for a keyword to find the appropriate animation for your current state.   Regardless of how late this feature has been implemented, it is positively awesome. Case in point:   Another change showing in the WhatsApp app is t
Post a Comment
Read more

Treachery at the MRC: Exasperated Alain Fogue exposed the dirty game of the CPDM

In a new outing, the national treasurer of the MRC denounces the CPDM spies who are gnawing at his party, the MRC. If Alain Fogue is to be believed, Maurice Kamto's party would have had RDPC figures among its ranks, whose sole mission is to "betray the liberation struggle of Cameroon embodied today by President-elect Maurice Kamto". The same process would have been used by the party of Paul Biya with the SDF. For Professor Fogue, these CPDM snitches are today in difficulty for not having succeeded in their mission. "These APs are now back to the wall" can be read in the publication of Alain Fogue.  Below, the whole of his post  [WHY TRY THE STRUGGLE OF LIBERATION OF THE PEOPLE CAMEROUNAIS THAT INCLUDES TODAY THE PRESIDENT ELECTED MAURICE KAMTO?  Tackling one of the oldest and most ferocious dictatorships in the world, which has also taken out political life insurance with certain powers, is no easy task.  Many took place on the Renaissance trai
Post a Comment
Read more