WhatsApp security breach - researchers find backdoor, Facebook doesn't care
Although the WhatsApp messaging service prides itself on being one of the few widespread apps with end-to-end encryption, it has a serious security hole that allows WhatsApp and its operator, Facebook, to read your messages.
WhatsApp is certainly the most widely used messaging service in Switzerland. Worldwide, more than a billion people use it. Since April 2016, full end-to-end encryption has been integrated. This means that before you leave your phone, your messages are encrypted and only decrypted after you receive them.
To explain it better, Alice, Bob and Eve come to our aid. Alice and Bob want to chat together and Eve wants to read what they write to each other. By the way, the name Eve is taken from the English noun "eavesdropping", which means "to be bugged".
End-to-end encryption: how it works
- Alice sends a message to Bob
- Before the message leaves the phone, the text is encrypted. This public key is Bob's.
- The encrypted data packets pass from Alice to Bob
- On Bob's smartphone, the data is decrypted, because his phone knows the key.
- At best, Eve can read unreadable data residue.
Bob can read the message, because he has received Alice's key in advance. Usually this happens automatically. As both Alice and Bob are careful about their security, they have checked their keys. Here's how it's done in WhatsApp:
- In the conversation window, on Android, click on the three dots in the top right-hand corner. On iOS just click on the name
- Click on Show contact
- Click on Chiffrement
- A QR code appears
- Your caller scans the code
When the key automatically generated by WhatsApp is good, then a small green tick appears. When the key is wrong, a message on an orange background appears and informs you that the key in the chat does not match that of your correspondent. In an example, it might look something like this, although the attack is impractical and obvious:
- Alice wants to make sure she's chatting to Bob
- However, Eve has registered her number on Alice's mobile as Bob
- Alice scans Bob's code
- The orange message appears
- Alice now knows she's not chatting with Bob
End-to-end encryption is one of the most valuable assets in digital communication, as it guarantees the integrity of a conversation with relatively simple means.
The security breach
However, Tobias Boelter, Information Security Researcher, has discovered that end-to-end encryption can be circumvented with simple means.
Here's what it would look like with Alice and Bob:
- Alice sends Bob a message
- The message is decrypted with the key to Bob
- The message is forwarded to Bob via the WhatsApp server
- However, when the server issues a new key to Bob immediately after sending - note: this is done automatically - then Alice's phone resends the message, but with the new key.
So WhatsApp can also read texts. Only after the second message is sent, Alice is warned that there might be something fishy going on. On the contrary, Bob doesn't necessarily have to notice that Eve is following the discussion, as the server can simply forward the first message to Bob.
Why is this a big deal?
In this case, Eve represents everyone who has access to the WhatsApp server infrastructure. It doesn't have to be the parent company Facebook, it could also be a government with the necessary decree. The NSA could be a candidate with a lot of interest in this kind of breach. But let's not forget the police if they have suspicions and an appropriate court order. This also concerns Swiss users after a vote in autumn 2016.
Bref; your private chats are no longer necessarily private.
Facebook is doing nothing about this breach
Tobias Boelter has chosen the path of Responsible Disclosure. In other words: he made himself known as a Security Researcher and communicated the bug to Facebook on 10 April 2016. The group's response on 25 May 2016:
This is expected behaviour
Of course, Boelter clarified that this should be neither expected nor planned behaviour of the app. Facebook responded on 31 May 2016:
This detail was already known to us some time ago[...] currently, we are not actively looking to address it
Safe alternatives
In the meantime, it should be clear that WhatsApp is not safe and should under no circumstances be used by people who don't like being bugged. Even if you tell yourself "I've got nothing to hide, so nothing bad can happen to me", you should look for an alternative.
I recommend Signal.
Signal works almost like WhatsApp, supporting the sending of images and texts, Emojis and videos. Here, it is above all the encryption mechanisms that are important. The "Open Whisper Systems" programmer not only invented encryption for Signal, but also transferred it to WhatsApp. But unlike WhatsApp, Signal doesn't pretend to send a message again after receiving a new key.
By the way, Open Whisper Systems is committed to your privacy. This is already evident in the volume of data that can be recorded by the server:
- Timestamps of each message
- Successful receipt of each message
- Phone number of the sender
- Recipient phone number
- Sender and recipient contact lists
- "Other information", which is not explicitly formulated by the parent company.
Signal
- A user's last online date
That's it.
In addition, Signal has a Chrome plugin, which switches your chats from your mobile to your PC or Mac.
Why change your messaging service
I can already hear you "yes, but all my friends use WhatsApp, so I have to do the same. "No, you don't. On the contrary. Security doesn't start with your friends or Facebook. You are first and foremost an adult user who is capable of making your own decisions.
Even better: you can become the pioneer. If you wait for change, nothing will ever happen. You can tell your friends what I've told you in this article or send them the link - if you have to, you can also use WhatsApp. Then you can delete WhatsApp, install Signal and carry on chatting with the same people. Because like WhatsApp, Signal also uses the phone number as an identifier. Generally speaking, you won't notice much difference between Signal and WhatsApp, except that Signal is blue and WhatsApp is green. You don't have to be "tech-savvy", because apart from installing the app, you don't have to do anything. And be aware of this: your privacy is important.
So stay safe, stay awake and have fun.
You may also be interested in these articles:
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.