Can Facebook intercept your WhatsApp messages? Not so fast.
Ever since WhatsApp announced in August it would share some user information with its parent company Facebook, privacy activists have left one eyebrow permanently arched in skepticism toward the secure messaging app.
Then, on Friday, the Guardian dropped a bombshell: WhatsApp, and potentially other parties like government agencies, may have access to WhatsApp messages thanks to a security backdoor in the app.
The promise of WhatsApp is that only you and your recipient can read the messages you send through the service. That means no copy of your messages sits on WhatsApp servers, where the company, its parent Facebook, or any government could access them. Even the information-sharing that WhatsApp announced in August is limited to the user’s phone number and the last time he or she used the app.
So news that WhatsApp is designed with a loophole that could let the company access the message was damning. But security experts were quick to question the Guardian report, saying that WhatsApp comes with a built in way for users to close the loophole. What’s more, Facebook flatly denies it has a backdoor into user communications.
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor,” a Facebook spokesperson said. The spokesperson added that what the Guardian calls a backdoor is actually a “design decision” that prevents messages from being lost and pointed to a white paper on its encryption design.
Here’s the feature that the Guardian calls a backdoor, and Facebook calls a design decision:
Normally, WhatsApp users have unique digital keys that they swap with each other when sending messages — that’s what keeps others out. But if you hit send on a message while your recipient is offline, WhatsApp could theoretically jump in with a new encryption key and automatically resend the message with the new key, which the company would have a copy of. Then, WhatsApp could decrypt the message and read what it says. Senders and recipients would have no idea that someone else has a way into their message.
But there’s a fix. WhatsApp users can opt in to find out when someone they’re communicating with changes their encryption key. This change happens often enough, when users switch to a different device or SIM card. If you see that your contact has a new encryption key and you’re worried someone might have forced the change to intercept your message, you can ask your contact if he switched devices, said John Geater, chief technology officer at Thales e-Security, a firm that helps companies manage their encryption keys.
“These claims aren’t nearly as concerning as they first appear,” Geater said in an email. “Indeed, there is almost no hack here.”
A UC Berkeley PhD student in cryptography, Tobias Boelter, conducted the research that spurred the Guardian report. Boelter said WhatsApp could make one change to make the system more secure. The problem now, he says, is that WhatsApp automatically resends the message when the encryption key changes. The company should offer an option to users to stop that from happening. That way, if users suspected they were being eavesdropped on, they could prevent the message from being broadcast.
Also, he said, just because WhatsApp didn’t design the process as a backdoor, doesn’t mean it couldn’t be used as one.
“It effectively allows WhatsApp to intercept messages,” Boelter said. “Which is really bad.”
Updated 4:32 p.m. PT: Adds comment from Tobias Boelter, whose research identified the WhatsApp feature that automatically retransmits messages with a new encryption key.
New products from CES 2017: The CNET team shows you the latest gear from the Las Vegas tech show. Check it out right here.
Tech Enabled: CNET chronicles tech’s role in providing new kinds of accessibility. Check it out here.