WhatsApp Encryption A Good Start, But Far From a Security Cure-all

Security experts cheer WhatsApp for making end-to-end encryption available to one billion consumers, but say more work needs to be done to protect digital communications.

WhatsApp’s addition of end-to-end encryption is a good start, but does not present users with a complete solution that protects against the prying eyes of intrusive governments and nosey third-parties. That’s the consensus among privacy and security experts that commend Facebook-owned WhatsApp for flipping the switch on end-to-end encryption for its one billion users worldwide. But they say there is more work to be done when it comes to securing digital communication.

On Tuesday, WhatsApp introduced full end-to-end encryption for its services that it said guaranteed messages sent using the service could only be viewed by the sender and recipient. The company said the encryption technology would be applied to text messages, photos, files, voice message and videos sent to individuals or groups. The feature is turned on by default and is available in 50 languages across the world, including China, Brazil and Europe.

“End to end encryption is a good thing, but it’s really just the beginning of good security,” said Jonathan Zdziarski, a leading independent security researcher and forensics expert. “No question about it, this is good tech. But just like any tech it’s not perfect. The real question: Is WhatsApp’s owner Facebook going to be responsible with this technology? A lot of people view Facebook as the antithesis of privacy,” Zdziarski said.

WhatsApp co-founders Brian Acton and Jan Koum are ardent supporters of protecting private communication and have said publicly that they see themselves fighting the same battle Apple has waged with the U.S. Justice Department over accessing an encrypted iPhone belonging to one of the shooters involved in December’s deadly San Bernardino, Calif., attack. WhatsApp worked with Open Whisper Systems to develop the encryption technology and will use the not-for-profit’s Signal protocol for WhatsApp clients.

“This is milestone for secure communication,” said security researcher Kenneth White, director of the Open Crypto Audit Project in an email interview. “The developers at Open Whisper Systems working on the WhatsApp integration are among the best protocol engineers in the world,” he said. Because Signal is also used by other messaging and voice apps there is a potential for interoperability between platforms, White said.

“A lot of people might think after what WhatsApp announced Tuesday, ‘Oh my goodness everything is so secure and nobody can read my messages anymore.’ That’s not exactly 100 percent accurate,” said Cris Thomas, strategist at Tenable Network Security.

Thomas points out that there are several key aspects of secure communications that are missing when it comes to WhatsApp’s new end-to-end encryption plan. First, while WhatsApp messages are secure in transit, most of the endpoint devices – such as the smartphones, tablets and computers – do not encrypt the data residing on them in the same way Apple does with its most recent iPhone.

“Imagine you are transporting a $1 million in an armored truck between two guys living under a bridge,” Thomas said. “The transportation model is safe, but the endpoints are not.”

Another area of concern for said Jeremy Gillula, staff technologist with the Electronic Frontier Foundation, has less to do with the contents of messages and more to do with the metadata that is unprotected between WhatsApp users.

“Subpoena after subpoena has shown that it’s not the data that law enforcement is after. As our own government has expressed, it is more interested in metadata than actual content,” Gillula said. That metadata can often reveal more than the messaging itself, he said. Metadata includes who was communicating, when they communicated, for how long and the size of any digital content swapped between the two parties.

To that end, security experts say it’s going to come down to what extent is Facebook willing to protect its customers’ privacy when faced with a court order. “Do you trust a company like Facebook with that metadata? If you do, then WhatsApp is definitely more secure today than it was a week ago,” Zdziarski said.

WhatsApp began rolling out end-to-end encryption in 2013. Since then, it has taken a hard stance denying law enforcement access to encrypted communications. On March 1, Brazilian police arrested a Facebook vice president for Latin America because WhatsApp declined to help authorities provide messages sent by a criminal suspect. WhatsApp’s encryption has also presented a problem to the U.S. Justice Department when it has tried to exercise wiretaps, according to reports from The New York Times. But less clear to security experts is how WhatsApp and Facebook have and will respond to court orders for metadata.

The type of end-to-end encryption WhatsApp has introduced is similar to Apple’s iMessage end-to-end encryption. However, with WhatsApp, its encryption is not exclusive to iOS devices and is available on Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10. That subjects WhatsApp data, sitting on each of those devices, to the phone maker’s individual policies on device encryption adding another wrinkle in locking down WhatsApp data on a device.

When Threatpost asked Blackberry what its position on device encryption was last month, the company responded “We are not releasing statements at this time.”

Nevertheless, bringing end-to-end encryption to a billion users is a watershed moment when it comes to making encryption an industry standard, said Elad Yoran, executive chairman at Koolspan, a business-grade secure communication firm.

“Private and secure communications is a fundamental right as greater percentage of our communications goes from analog to digital,” Yoran said. “We know how to implement this technology now. The question is, how much do we trust the people who are a part of the servers and infrastructure behind our communications?”

Suggested articles