It has been a busy weekend for those concerned with online privacy. Last Friday, the Guardian reported about research that claims to have detected a security loophole in the way WhatsApp employs its end-to-end encryption protocol, Signal. A day later, the protocol’s developers, Open Whisper Systems, responded that what the research claims is a vulnerability, is actually a feature – and definitely not a backdoor. But is one of the most popular end-to-end encrypted instant messengers really backdoored?
Open Whisper Systems’ answer is “no.” But the argument is rather semantic. A backdoor is a weakness in a security system that has been put deliberately in it so that the system’s creators would have exclusive access to it for maintenance or other purposes. To paraphrase: what separates a backdoor from the common vulnerability is the developers’ intent. However, regardless of WhatsApp’s intent, there seems to be a legitimate vulnerability in the messenger’s security.
The WhatsApp retransmission vulnerability explained
The Guardian cited the findings of German computer scientist Tobias Belter. In April, he wrote on his blog about a “bug” in the app, which automatically re-encrypts unsent messages – making them an easy catch for man in the middle (MiTM) attacks. He also wrote he filed a white-hat report about the issue, but got a reply from Facebook, owner of WhatsApp, that fixing it is not a priority for the company.
The way the Signal protocol used by the app works is similar to most other public-key cryptography based on the Diffie-Hellman algorithm – the two communicating parties each have a pair of keys: a public one, and a private one. The public key is, well, public and can be seen by other users, while the private one is stored on each user’s device. The problem is people don’t use the same device over the course of a lifetime, and private keys get changed for legitimate reasons every now and then.
But what happens to a message that was sent after the keys were changed, but before the sender is notified their contact switched devices? In most end-to-end encrypted clients, the message would not be delivered as the keys won’t match. In WhatsApp, however, the message is re-encrypted with the new key on the app’s server and successfully sent to the recipient. However, in the meantime someone might have registered an account with the recipient’s phone and they’d get the message instead.
Should WhatsApp users be worried? We say yes
This wasn’t put in the code deliberately so that WhatsApp itself could spy on people, or let law enforcement do it with a warrant. It was made for convenience’s sake – because the app is popular and has many, often not very tech-savvy users. So it is not a backdoor. Semantically. On the other hand, the possibility for the exploit is there.
And here’s the thing. WhatsApp is often pointed out as the go-to app for political activists under repressive governments, and has been named the most secure of the popular messaging clients by Amnesty International. The adversaries some of its users are often state-sponsored or equally well-resourced.
A vulnerability like the one found by Belter is relatively easy to exploit for such attackers. (Not to mention that he seems to have done it himself using just three phones.) The fact that the Guardian, which is not a specialized tech publication, got one term wrong while reporting the issue doesn’t make it a smaller one.