WhatsApp is vulnerable: Are you being snooped on?

By sudha.hariharan

January 23, 2017

Whatsapp has a billion users daily, and that is a big number. Whatsapp has made security and privacy a key selling point. People believe that they are communicating in a secure manner, whereas it may not be so.  Whatsapp claims that not even Whatsapp itself can read the messages of its users. This may be a false claim.

For those spilling their darkest secrets this is bad news. Early last week, The Guardian reported  that encrypted messages sent and received through the  messaging service can be intercepted by people you never intended to send that incriminating message to. The report exposed exposed  a “backdoor”, in the way that WhatsApp implements its end-to-end encryption, meaning third party agencies can read and then re-send messages without your knowledge.

The service is favoured by billions– some   living in oppressive regimes and diplomats –  and privacy campaigners have called the backdoor a “huge threat to freedom of speech”.

WhatsApp’s current method of encryption depends on a set of unique keys generated by the Signal protocol—which are  are supposed to be unique and safe from interception.

However, the catch is that  WhatsApp has the ability to generate keys offline that re-encrypt and then re-send undelivered messages without notifying the user beforehand, or giving them the opportunity to prevent it.

The security loophole was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

Whatsapp denies the backdoor  claim, saying it’s a design decision relating to message delivery, with new keys being generated for offline users in order to ensure messages don’t get lost in transit.. In a quote to TechCrunch, ( a leading media firm which profiles start-ups, breaks tech news)WhatsApp said , “WhatsApp does not give governments a “backdoor” into its systems and would oppose  any government request to create a backdoor.”

Signal is the protocol used by Whatsapp at the heart of its end-to-end encryption method. When person A and B message each other, they get a unique set of keys to swap, which should keep others out.

But if you hit send, and the recipient is offline*, WhatsApp can jump in with a new encryption key, and automatically resend the message with a new key, a copy of which WhatsApp would have!

This key and the re-transmission of messages, without user consent, is the supposed ‘backdoor’ and the supposed ‘design decision’. The word offline has significant importance here. Recipient may be offline OR could potentially be made to appear offline by WhatsApp at their discretion. WhatsApp could potentially disallow the recipient’s app connection to its servers, and that could theoretically give it the ability to generate this new key, and gain access.

This is a long debate, and ( India’s largest community of ethical hackers) ,says that  the crux of the matter is that the fact that WhatsApp/Facebook call this a ‘DESIGN DECISION’ does not stop it from being a ‘POTENTIAL BACKDOOR’.

Most important question then, ‘What can consumers do?’  There is a fix. Whatsapp users can turn ‘ON’ a setting and keep it on by default, so they know when the encryption key is changed. This would alert them that a new key has been generated.

To turn on this notification: Navigate to Settings in whatsapp -> choose account -> choose security -> enable the “Show security notifications” option.

The change of keys is a common occurrence even today, when users change their device or SIM card.

“If and when you see this notification, and you’re worried someone may have forced their way into your conversation to intercept or for surveillance, you can verify by simply calling the other person to check if they changed their device or SIM.”

“In the worst possible scenario, WhatsApp could potentially uniquely ‘super-target’ a user and have them re-install the WhatsApp app, and thereby forcing the generation of a new encryption key. This event would mask and successfully create a potential point of entry for Whatsapp to enable snooping.” says Ankush Johar, director

“Whatsapp could introduce one change and that is to put the choice in the hands of the users, to enable new key generation and subsequent message delivery. It could be an advanced option to ensure user friendliness or as standard for the privacy conscious user. With this change, if a user suspects snooping, they can choose to not send messages instead of it not being in their control today.”

What is the alternative to Whatsapp?

Whatsapp is a gold mine for surveillance by government agencies and actors. If people use whatsapp because they think that they cannot be spied upon, they need to stop now, and look for alternatives (whistleblowers and journalists among them).  Other apps that use the same signal protocol are the ‘Allo’ app by Google in ‘incognito mode’ and Facebook Messenger also says they offer the protocol for optional “secret conversations”.

A credible alternative is the Signal app. Interestingly, Whatsapp uses the same protocol as the ‘Signal’ app. Signal app however interestingly does not have this vulnerability, because in the open-source world, leaving a potential backdoor, would not be seen kindly, or at best, take no time to get highlighted publicly.

In the 50 days of de-monetisation and beyond, users have relied extensively on whatsapp safe in the knowledge that they were talking about their monetary affairs (aka ill-gotten wealth) safe from the prying eyes of surveillance. This vulnerability showcases how that may not be true, and how users have falsely relied on whatsapp to be their savior, when it clearly may not be.

Given that the PM and Mark Zuckerberg are quite fond of each other, and that too publicly, it may not be entirely wrong to ‘imagine’ a theory where the government perhaps has access or may be provided access to this goldmine of information.