Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff. But new research shows that the company can intercept and read encrypted WhatsApp messages.
The US researchers found a security vulnerability that can be used to spy on encrypted messages. According to privacy campaigners the vulnerability is a “huge threat to freedom of speech” and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.
A cryptography and security researcher at the University of California, Tobias Boelter, explains that WhatsApp’s encryption relies on the “generation of unique security keys,” which are traded and verified between users to ensure that communications are secure and cannot be intercepted. But Facebook, which owns WhatsApp, has the ability to resend undelivered messages with a new security key, effectively allowing the company to access the ‘encrypted’ messages without the sender or recipient being aware or able to prevent it from happening.
WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages, The Guardian reported.
A backdoor to a technology such as encryption is simply a way for a third-party to access something secure without the primary parties being aware.
A way into a supposedly secure, end-to-end encrypted, private messaging service could be a “goldmine” for surveillance purposes and is “a huge betrayal of user trust”, according to privacy advocates. The amount of private information sent knowingly or unknowingly through WhatsApp could be vast and therefore is a very attractive target for surveillance.
According to reports, Boelter reported the vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian claims to have verified the loophole still exists.
Reacting to the research, a WhatsApp spokesperson said over 1 billion people use WhatsApp today because it is simple, fast, reliable and secure. “At WhatsApp, we’ve always believed that people’s conversations should be secure and private,” the spokesperson added. Last year, we gave all our users a better level of security by making every message.
The company later issued another statement saying: “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.”