A security loophole in the WhatsApp messaging app could allow the United Kingdom government to legally read supposedly secure encrypted messages, according to a law firm. “Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system”.
Advertisement
Facebook and WhatsApp could be compelled to give government agencies such as GCHQ and the US National Security Agency access to users’ messages.
“WhatsApp’s encryption uses Signal Protocol, as detailed in the technical whitepaper”.
But if the recipient moves their WhatsApp account while they are offline to a different phone, the message will automatically resend to their new phone. This route is the vulnerability and will enable intruders to re-encrypt messages with new keys and send them without the knowledge of both the sender and receiver. If that happens, end-to-end encryption becomes an impaired transaction, given that one of the two ends is nonexistent. The backdoor allows WhatsApp (Facebook) to change the encryption security key for undelivered encrypted messages and read them.
Still, this news certainly comes as a disappointing development given that Facebook boasted its boosted encryption methods as the main selling point for WhatsApp.
In response to the claims, a spokesperson for WhatsApp just directed The Guardian to Facebook’s page for aggregated data requests made by governments. That way, a user could perhaps contact their correspondent via other means to inquire about the change in security keys.
The alleged backdoor was first brought to light by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley.
Is this flaw a government backdoor? No. Users should always have the ability to generate new keys and re-encrypt their data, but WhatsApp’s design would technically allow government agencies to force the company to re-encrypt a user’s data in order to siphon it off before it gets re-encrypted again and sent out. There’s one key difference in WhatsApp’s implementation, though.
The promise of WhatsApp is that only you and your recipient can read the messages you send through the service. The whole Facebook/WhatsApp privacy saga started in 2014, when Facebook acquired the messaging service, but Zuck and company have been on watchdog radars a while before that.
Boelter reported the problem to Facebook in April of 2016 – the very same month end-to-end encryption was added to the app. Worryingly, staff at The Guardian have confirmed that the issue still exists today. This is because in many parts of the world, people frequently change devices and Sim cards.
Privacy campaigners are anxious governments and law enforcers could force WhatsApp to generate new keys, if they want to spy on your messages.
Advertisement
This should take you to a single option called “Show Security Notifications”.
