WhatsApp Encryption Controversy
As hackers continue to evolve, sometimes the tools considered most secure is only a temporary insurance cover.
Ever since The Guardian newspaper recently reported that the WhatsApp messenger had a “backdoor” that allowed snooping on supposedly encrypted messages by third parties, InfoSec and cybersecurity advocates have been in a furore over whether the allegation is true.
WhatsApp Security
WhatsApp was previously known as one of the more secure messaging options, thanks to its End-to-End Encryption (E2EE) using the protocol known as Signal. But the latest reports have put the WhatsApp reputation in peril.
As Gizmodo wrote, if the implications are true, “it would mean that someone had cracked what is universally considered to be the best publicly available encryption scheme.” This would be very serious, as more than a billion people depend on the Signal encryption protocol. Signal users could find themselves vulnerable to surveillance or snooping within many messaging apps.
The Breach
The disagreement was over whether or not the vulnerability pointed out by InfoSec expert, Tobias Boelter, was actually a “backdoor”. The feature in question is operational when a user gets a new phone or undergoes a factory reset on their device. The phone then tries to continue an existing conversation that was initiated on the previous device. The freshly-installed WhatsApp then renegotiates the encryption keys to account for the new device. The recipient then needs a new key for the person they were having a conversation with and the possible security breach occurs.
What Beolter was alleging was characterized by an expert in Gizmodo: “Say that I am sending to you, and your phone is offline because your [battery] is flat, or you have no coverage, or something. Some messages ‘back up’ on my phone, waiting to talk to yours. The proposition is that this condition: backed up messages, combined with someone colluding with Facebook and WhatsApp to ‘fake’ the ‘person has a new phone’ condition, can lead to the backed-up messages being re-encrypted and sent to the new, fake or colluded phone.”
The Nay Sayers
Many critics say this is far-fetched and cannot technically be classified as a backdoor—but rather, an intended feature. A backdoor is described by MacWorld as “an intentional hole built into software to allow untracked access without participants’ consent of details assumed to be confidential or secure by the users of the system.” Critics of the “backdoor” theory maintain is not the intention for the feature to be exploited, and it would require an unrealistic level of collusion among government, tech companies, and/or non state actors to create any sort of user risk.
Still, pointing out these vulnerabilities is important. Many are saying that where The Guardian went wrong in its report was by reporting this as an “exclusive” and by describing it as a “backdoor”. In fact, many InfoSec advocates already knew about this feature quirk, and The Guardian has only caused panic when no one is at risk.
Digital Security Concerns
Even as encryption advances, it remains true that the safest way to communicate these days is with a pen and paper. Of course, it’s not realistic for people living in the modern age to communicate through hand written memos. As The Guardian wrote in their justification of the report, the preservation of personal privacy and collective security online is a political and social task as much as it is one for the very few experts who understand the ramifications of mathematical magics like public key cryptography. Technological solutions will only work within a legal and political context”.
For now, if people are worried about the revelations around whether WhatsApp’s feature puts people at risk, they can use the Signal messaging app (which is also encrypted, but doesn’t queue messages in this fashion) to communicate. Indeed, this controversy is just one of a many that are sure to arise as InfoSec standards improve and users become more aware of what they’re putting at risk.