WhatsApp has a “Backdoor”? What’s the fact?

The issue has nothing to do with the security of Signal encryption protocol, that continues to be one of the most secure encryption protocols.


Recently an article published in April 2016 by security researcher Tobias Boelter has gained public attention: the research suggests that WhatsApp has a backdoor that “could allow” an attacker, and of course the company itself, to intercept your encrypted communication.

Open Whisper Systems (mantainer of “Signal” protocol, also used by WhatsApp) criticized reporting in a blog post:

The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.

The process is clearly explained in this post by eff.org:

The lost phone, lost message dilemma

The issue at question is WhatsApp’s answer to the question of what applications should do when someone’s phone number changes (or they reinstall their app, or switch phones).

Suppose Alice sends a message to Bob encrypted with Bob’s key K1. Alice’s message is stored encrypted at the server until Bob can connect and download it. This behavior is required for any app that allows asynchronous communications (meaning you can send a message to somebody while they are offline), which nearly all popular messaging apps support.

Unfortunately, Bob just dropped his phone in a lake. Later on, Bob gets a new phone and reinstalls WhatsApp. On this new phone, the app will create a new key K2. There are two possible behaviors here:

  • Fail safe: The server can delete the queued message, since it was encrypted with K1, which no longer exists. Bob will never see the message. If Alice has turned on key change notifications, she will be warned that Bob is using a new key. She will be told that her message was not delivered and given the option to re-send it. This is what Signal does.
  • Proceed: The server will tell Alice’s phone that Bob has a new key K2, and to please re-encrypt the message for K2. Alice’s phone will do this, and Bob will get the message. If Alice has turned on key change notifications, she will then be warned that Bob’s key had changed. This is what WhatsApp does.

Note that the second behavior makes the service seem more reliable: it’s one less way a message can fail to be delivered.

The issue here is that the second behavior opens a security hole: Bob need not have actually lost his phone for the server to act as if he has lost it. Acting maliciously, the server could pretend that Bob’s new key is a key that the server controls. Then, it will tell Alice about this new key, but will not give Alice a chance to intervene and prevent the message from being sent. Her phone will automatically re-send the message, which the server can now read. Alice will be notified and can later attempt to verify the new fingerprint with Bob, but by then it will be too late.


So, not really a backdoor?

Mohit Kumar, from TheHackerNews, has a fairly clear position:

There’s no “encryption backdoor;” instead the real backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption.

From Whispersystems post:

The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.” In other words, when a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user.

So, the issue has nothing to do with the security of Signal encryption protocol, that It’s one of the most secure encryption protocols if implemented correctly.


Bug or feature?

Tobias Boelter, in another (polemical) blog post, says:

this flaw can be explained as a programming bug. Just a missed “if” statement for one of the corner cases. It is a type of flaw that is not necessarily introduced by malice, just like many other critical vulnerabilities in important products that are reported daily.
But Facebook showed no interest in fixing the flaw since I reported it to them in April 2016. So maybe it was a bug first, but when discovered it got started being used as a backdoor?
WhatsApp has stated recently that this is not a bug, it is a feature! Because now senders don’t have to press an extra “OK” button in the rare case they sent a message, the receiver is offline and has a new phone when coming back online.

Proprietary closed-source crypto software is the wrong path. After all this — potentially mallicious code — handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.


So what can I do?

If you care about your privacy and that of the people that you are connected, start using Signal and suggest to your friends to do the same.

Comments