A UC Berkeley doctoral student has recently discovered that WhatsApp, the end-to-end encrypted messaging platform utilized by more than a billion users across the world, has a security flaw making it susceptible to messages being intercepted.
The main problem, according to Tobias Boelter, the second-year electrical engineering and computer sciences doctoral student who identified the issues, is that WhatsApp “won’t give you the option to prevent (a) message from being sent after (a) security key change.” Security keys are a piece of random data that can include letters, numbers or symbols.
A key can change for many reasons, such as changing phones or reinstalling the app. It can also change if someone is trying to intercept a message, according to Boelter.
This interception must occur before a message is received by the intended recipient. Users are not notified of a security key change until after a message is sent. It does not apply to communication that was already received, because WhatsApp, which is owned by Facebook, has been designed to not reencrypt delivered messages. Boelter notes on his blog that interception could apply to more than one message.
“Any attempt to intercept messages in transmit by the server is detectable by the sender just like with Signal, (Pretty Good Privacy), or any other end-to-end encrypted communication,” Moxie Marlinspike, an Open Whisper Systems team member, wrote on the OWS blog. “Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate.”
Brian Acton, a co-founder of WhatsApp, responded to the vulnerability on Reddit, stating that it is not a “backdoor” and that the communication platform is designed to maintain its billion users’ access to their messages.
“Because a person’s encryption key is changed when WhatsApp is installed on a new phone or re-installed on an old device, we make sure those messages can eventually be read using the new key,” Acton said on Reddit.
Jethro Beekman, a senior engineer with security company Fortanix, said to prevent interception, people could notify their contacts before doing something that would change their security key.
“But, I acknowledge that this is too cumbersome for some people to do,” Beekman said.
Most WhatsApp users, Beekman added, will never see notices about keys changing since it is disabled by default in the app.
Several WhatsApp users on campus commented that they will stick with the platform despite the potential vulnerability.
Sahara Abdi, a campus freshman and intended statistics and computer science major, said she doesn’t believe she will switch from the app because it is convenient for her to talk with family and friends in Kenya.
“These things happen every day, people try to find holes in (programs),” Abdi said. “If they find a hole, they should fix it.”
Facebook’s early communication to Boelter in May stated that this is not something the company is immediately looking to change, though Acton wrote on Reddit this week that the company will invest in technology “that help(s) protect the privacy and security of messages and calls on WhatsApp.”
Boelter and Beekman both recommended Signal as an alternative app for secure end-to-end encryption communication. Though Signal is developed by OWS as well, it does not automatically resend messages when security keys change.