Exclusive: Privacy
campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of
speech’ and warn it could be exploited by government agencies. Research shows
that WhatsApp can read messages due to the way the company has implemented its
end-to-end encryption protocol and vulnerability that can be used to allow Facebook and others to
intercept and read encrypted messages has been found within its WhatsApp
messaging service.
Facebook claims that no one can
intercept WhatsApp messages, not even the company and its staff, ensuring
privacy for its billion-plus users. But new research shows that the company
could in fact read messages due to the way WhatsApp
has implemented its end-to-end encryption protocol.
Should I be worried about
the WhatsApp encryption vulnerability?
Why is there a hole in its encryption, what is the
Signal protocol, what does that mean for my privacy and are there any
alternatives?
Read more
Privacy
campaigners said the vulnerability is a “huge threat to freedom of speech” and
warned it could be used by government agencies as a backdoor to snoop on users
who believe their messages to be secure.
WhatsApp has made privacy and security a primary selling point, and has
become a go to communications tool of activists, dissidents and diplomats.
WhatsApp’s end-to-end encryption
relies on the generation of unique security keys, using the acclaimed Signal
protocol, developed by Open Whisper Systems, that are
traded and verified between users to guarantee communications are secure and
cannot be intercepted by a middleman.
However, WhatsApp has the ability
to force the generation of new encryption keys for offline users, unbeknown to
the sender and recipient of the messages, and to make the sender re-encrypt
messages with new keys and send them again for any messages that have not been
marked as delivered.
The recipient is not made aware
of this change in encryption, while the sender is only notified if they have
opted-in to encryption warnings in settings, and only after the messages have
been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp
to intercept and read users’ messages.
The security loophole was
discovered by Tobias Boelter, a cryptography and security researcher at the
University of California, Berkeley. He told the Guardian: “If WhatsApp is asked
by a government agency to disclose its messaging records, it can effectively
grant access due to the change in keys.”
The vulnerability is not inherent
to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app
used and recommended by whistleblower Edward Snowden, does not suffer from the
same vulnerability. If a recipient changes the security key while offline, for
instance, a sent message will fail to be delivered and the sender will be
notified of the change in security keys without automatically resending the
message.
WhatsApp’s implementation
automatically resends an undelivered message with a new key without warning the
user in advance or giving them the ability to prevent it.
Boelter reported the
vulnerability to Facebook in April 2016, but was told that Facebook was aware
of the issue, that it was “expected behaviour” and wasn’t being actively worked
on. The Guardian has verified the loophole still exists.
The WhatsApp vulnerability calls into question the
privacy of messages sent across the service used around the world, including by
people living in oppressive regimes. Photograph: Marcelo Sayão/EPA
Steffen Tor Jensen, head of
information security and digital counter-surveillance at the European-Bahraini
Organisation for Human Rights, verified Boelter’s findings. He said: “WhatsApp
can effectively continue flipping the security keys when devices are offline
and re-sending the message, without letting users know of the change till after
it has been made, providing an extremely insecure platform.”
Boelter said: “[Some] might say
that this vulnerability could only be abused to snoop on ‘single’ targeted
messages, not entire conversations. This is not true if you consider that the
WhatsApp server can just forward messages without sending the ‘message was
received by recipient’ notification (or the double tick), which users might not
notice. Using the retransmission vulnerability, the WhatsApp server can then
later get a transcript of the whole conversation, not just a single message.”
The vulnerability calls into
question the privacy of messages sent across the service, which is used around
the world, including by people living in oppressive regimes.
Professor Kirstie Ball,
co-director and founder of the Centre for Research into Information, Surveillance
and Privacy, called the existence of a vulnerability within WhatsApp’s
encryption “a gold mine for security agencies” and “a huge betrayal of user
trust”. She added: “It is a huge threat to freedom of speech, for it to be able
to look at what you’re saying if it wants to. Consumers will say, I’ve got
nothing to hide, but you don’t know what information is looked for and what
connections are being made.”
In the UK, the recently passed Investigatory Powers Act allows the
government to intercept bulk data of users held by private companies, without
suspicion of criminal activity, similar to the activity of the US National
Security Agency uncovered by the Snowden revelations. The government also has
the power to force companies to “maintain technical capabilities” that allow
data collection through hacking and interception, and requires companies to
remove “electronic protection” from data. Intentional or not, WhatsApp’s
vulnerability to the end-to-end encryption could be used in such a way to
facilitate government interception.
Jim Killock, executive director
of Open Rights Group, said: “If companies claim to offer end-to-end encryption,
they should come clean if it is found to be compromised....In the UK, the
Investigatory Powers Act means that technical capability notices could be used
to compel companies to introduce flaws – which could leave people’s data
vulnerable.”
A WhatsApp spokesperson told the
Guardian: “Over 1 billion people use WhatsApp today because it is simple, fast,
reliable and secure. At WhatsApp, we’ve always believed that people’s
conversations should be secure and private. Last year, we gave all our users a
better level of security by making every message, photo, video, file and call
end-to-end encrypted by default. As we introduce features like end-to-end
encryption, we focus on keeping the product simple and take into consideration
how it’s used every day around the world.
“In WhatsApp’s implementation of
the Signal protocol, we have a “Show Security Notifications” setting (option
under Settings > Account > Security) that notifies you when a contact’s
security code has changed. We know the most common reasons this happens are
because someone has switched phones or reinstalled WhatsApp. This is because in
many parts of the world, people frequently change devices and Sim cards. In these
situations, we want to make sure people’s messages are delivered, not lost in
transit.”
Asked to comment specifically on
whether Facebook/WhatApps had accessed users’ messages and whether it had done
so at the request of government agencies or other third parties, it directed
the Guardian to its site that details aggregate data on government requests by
country.
WhatsApp later issued another
statement saying: “WhatsApp does not give governments a ‘backdoor’ into its
systems and would fight any government request to create a backdoor.”
Concerns over the privacy of
WhatsApp users has been repeatedly highlighted since Facebook acquired the
company for $22bn in 2014. In August 2015, Facebook announced a change to the
privacy policy governing WhatsApp that allowed the social network to merge data
from WhatsApp users and Facebook, including phone numbers and app usage, for
advertising and development purposes.
Facebook halted the use of the shared user data for
advertising purposes in November after pressure from the pan-European data protection agency
group Article 29 Working Party in October. The European commission
then filed charges against Facebook for providing “misleading” information in the
run-up to the social network’s acquisition of messaging service
WhatsApp, following its data-sharing change.
- This article was amended following a further
statement from WhatsApp, which said that it did not give governments a
“backdoor” into its systems.
By Manisha Ganguly Photograph: Ritchie B Tongo/EPA
No comments:
Post a Comment