WhatsApp is one of the most widely used messengers across the universe and what better than the numbers which prove the point. That said the Facebook-owned company has been adding privacy features regularly and end to end encryption was one of them. Furthermore, Facebook has been claiming that no one can intercept WhatsApp messages and that includes the company and staff. But this claim stands to be challenged by a security backdoor that will allow Facebook and others to intercept and read encrypted messages sent and received using WhatsApp.
State-sponsored cyber attacks are not something new and Privacy campaigners are wary that such a type of backdoor can be used by government and other regulatory authorities to spy on users or as I prefer to say “person of interest”. The reach of WhatsApp magnifies the peril, especially since it has become one of the quintessential communication tools.
This is how it all happens, WhatsApp’s end-to-end encryption makes use of security key using the well known Signal Protocol by Open Whisper Systems. The keys are traded between the users and only after verification the communication is initiated. This theoretically assures that no middlemen or an intruder of any sorts can intercept the encrypted communication channel, However, WhatsApp can still force generate an encryption key for offline users and this happens behind a closed door, oblivious to the users.
The sender will not receive notification of any sort until and unless the sender has opted-in to encryption warnings in settings. Discovered by Tobias Boelter, a security researcher at the University of California, Berkeley was quoted as follows by the Guardian, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”
OpenWhisper Systems has been the favorite of privacy advocates including the likes of Edward Snowden. The problem, however, does not seem to be induced at the OpenWhisper Systems end and Signal a messaging app that boasts of its privacy doesn’t suffer the same fate as the WhatsApp. In the case of Signal when a recipient changes the security key while offline the sent message will not be delivered and the sender will be notified about the change in the security key unlike WhatsApp wherein the message is sent before notifying the user. In fact, WhatsApp automatically sends an undelivered message along with a new key with no control from the users to end to control it from happening.
The WhatsApp backdoor is still active and according to Boelter the company already knows about its existence. He further implies that Facebook keeps on flipping the keys while the user is offline and users will not now the changes, thus giving birth to a rather insecure platform. As if that was not enough WhatsApp can also allow for interception of complete conversation rather than just a single message.
Boelter’s analogy goes as follows, “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”
All of this comes at a time when the UK passed the Investigatory Powers act amidst outcry and this allows the government to intercept the bulk of data from the private companies which is a shade similar to the one exposed by Snowden. Apart from that the power to force companies to “maintain technical capabilities” lies with the government and the private companies can also be made to retract electronic protection from the data. The use case somehow resonates with the WhatsApp backdoor.
WhatsApp has replied to Guardians concern and says that this feature is designed to take care of people changing the SIM cards and devices and the company wants to make sure that the “people’s messages are delivered and not lost in transit.” According to me, WhatsApp should have just included a resend prompt which will notify the users of the change in key. In its statement WhatsApp has further directed the concerned to its site that maintains a data on government requests by the country. Perhaps you could turn on the “Show Security Notifications” setting which will at least warn you before such an occurrence.
Related Stories
- Phishing Attack Steals Your Personal Details from Browser Autofill and Password Managers
- Intex S9 Cloud Review: Heavy Clouds, No Rain!
- Google Maps will now let you Hail an Uber Without Leaving the app
No comments:
Post a Comment