Virtualization Technology News and Information
Who's Reading Your WhatsApp Messages?

Since it was founded in 2009, WhatsApp has garnered more than 1 billion users. That's a crazy high number, but it's not really a big deal, because most of those users aren't even active, right?

Wrong. As of February 2014, over 70% of its users are active on a regular basis. They place an average of 100 million voice calls per day and send more than 42 billion messages daily.

It seems Zuckerberg and crew made the right move when they acquired the popular messaging service in 2014. It has a ridiculously large install base, and most of its users are active on a daily basis.

Facebook is a great choice as owner, too, because they clearly care about privacy. And since WhatsApp is a private messaging service, privacy is a huge deal.

Well, guess what? You might be shocked to learn that WhatsApp is much more vulnerable than we've been led to believe. As reported by the Guardian, private messages can actually be read without users knowing, thanks to a security backdoor in the service's end-to-end encryption.

What does all that mean for the layman?

It means that someone resourceful can find a way through the encryption protocol, and can then access any messages or media content sent via the service.


What Is the Vulnerability, or Backdoor, Exactly?

To understand the problem, you must first understand the security protocol used during encryption. Data is secured using an encryption key, which is sort of like a unique passcode. Encrypted messages get two of these keys - one private and the other public.

The public key is used to encrypt messages, or essentially make them unreadable. They can only be decrypted - made readable again - with the other, private, key.

WhatsApp simplifies the encryption process by storing the keys on their remote servers, and your device will specifically download the public key for each of your contacts.

When a contact changes devices or reinstalls the app - there are other factors - the service will issue a new unique key.

The problem is that the WhatsApp server can be tricked into giving you a third-party key, or one that actually doesn't belong to one of your contacts. For example, it can be tricked into providing you with a public key for a government official.

There are methods used to verify that these keys are accurate and belong to the right contact, which we won't go into here. But note that WhatsApp does not use any protocols like this.

Instead, WhatsApp will accept a key from a contact and resend all messages that are "in transit" to the new key.

This means someone could file for a new key and intercept any incoming messages that are defined as "in transit" by the WhatsApp servers.

What Does This Mean?

It means that certain messages can, in fact, be intercepted by a middleman. So, anyone with the skills and knowledge to take advantage of this vulnerability could potentially be reading your private WhatsApp messages.

This isn't DEFCON 2 for the average person, unless you're sharing sensitive information or media through the service. But what could be a potential problem is that larger organizations can use this vulnerability to gain illegal access - such as the CIA or NSA.

As Tobias Boelter - a cryptography researcher from the University of California - explains, WhatsApp could be asked by any one of the government agencies to disclose messages, and "it can effectively grant access due to the change in keys."

Worse yet, the affected users would be none the wiser, because WhatsApp can deploy new keys at any time, even for offline users, and the app will autocorrect with nary a notification.

You can enable a setting to "show security notifications" when your account or phone receives new keys, but it will only show up after "in transit" messages have been re-sent, or a call has been ended. So, it doesn't actually prevent a third party from seeing those messages. It just lets you know the key has been changed.

This is indicative of the data privacy and security issues many are concerned about when it comes to cloud technology. This is a private messaging service that, for all intents and purposes, people fully believe to be secure. There's no telling what kind of information they're unwittingly sharing with one another.

The vulnerability has the potential to kick-start an incredibly serious problem for many. Here's hoping WhatsApp and its software engineers take some time to deal with the issue, even if Facebook's leadership won't:

As of April 2016, Facebook indicated they were already aware of the issue, but that they have no intention of working on a fix.


About the Author

Kayla Matthews is a tech-loving blogger who writes and edits Follow her on Twitter to read all of her latest posts!
Published Monday, January 23, 2017 8:28 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2017>