And It’s a well-known fact that usability and security are inversely proportional to each other, and choosing usability over security doesn’t end well.
After introducing “end-to-end encryption by default” last year, WhatsApp has become the world’s largest secure messaging platform with over a billion users worldwide.
But if you think your conversations are completely secure in a way that no one, not even Facebook, the company that owned WhatsApp, can intercept your messages then you are highly mistaken, just like most of us and it’s not a new concept.
Here’s the kick: End-to-end encrypted messaging service, such as WhatsApp and Telegram, contain a backdoor that can be used, if necessary, by the company and of course hackers, or the intelligence agencies to intercept and read your end-to-end encrypted messages, and that’s all without breaking the encryption.
No doubt most of the encrypted messaging services generate and store private encryption key offline on your device and only broadcast the public key to other users through the company’s server.
Like, In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping on your encrypted private communication.
Tobias Boelter, security researcher from the University of California, has reported that WhatsApp’s end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background.
Note that this backdoor has nothing to do with the Signal encryption protocol, created by Open Whisper Systems.
“WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
The recipient is not made aware of this change in encryption.” The Guardian reports.
However, users can receive notifications when security codes change, only if “security notifications” option has been turned ON manually from the app settings.
Meanwhile, Fredric Jacobs, who was iOS developer at Open Whisper Systems, also reacted on twitter and admitted that “if you don’t verify keys Signal/WhatsApp/… can man-in-the-middle your communications,” however he also added, “It’s ridiculous that this is presented as a backdoor. If you don’t verify keys, authenticity of keys is not guaranteed. Well known fact.“
Facebook Haven’t Fixed It Since June, 2016
Boelter told the Guardian that he reported the backdoor to Facebook in April 2016 — the time when WhatsApp implemented end-to-end encryption by default in its messaging app.
However, the researcher was told in reply that Facebook was already aware of the issue and justified it as an “expected behavior.”
“WhatsApp says that it implemented the backdoor to aid usability.
If the backdoor is not in place, messages sent to an offline user, who then changes their smartphone or has to re-install WhatsApp and in doing so generates new security keys for themselves, would remain undelivered once the user comes back online.”
The Guardian says.
“In many parts of the world, people frequently change devices and Sim cards.
In these situations, we want to make sure people’s messages are delivered, not lost in transit.” a WhatsApp spokesperson told the Guardian.
And Yeah, the backdoor still exists in WhatsApp.
How to Protect Yourself from Spying?
To prevent the possibility of MITM attacks, WhatsApp also offers a third security layer in its app using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code (drawback: physical presence required) or by comparing a 60-digit number by another way of communication.
“Security codes are just visible versions of the special key shared between you – and don’t worry, it’s not the actual key itself, that’s always kept secret.“
However, this option is useful only when you are actively looking to verify the authenticity of session keys and, we know, only one privacy-conscious paranoid user in thousands would do that.
Secure Alternative to Whatsapp
Oh! You must be thinking — Which secure messaging service then offers protection against such broken trust and interception?
There are several alternatives, such as “Signal Private Messenger“, itself, developed by Open Whisper Systems and it’s most recommended secure message app.