Accusations that WhatsApp has a backdoor intended for eavesdropping on user messages is being loudly rebuked by Facebook-owned WhatsApp and Open Whisper Systems, the company that developed the underlying encryption technology for the platform. Dismissal of the published claims by The Guardian are also coming from others in the security and crypto communities who say the allegations are outrageous.
“I do not assess the issues with WhatsApp to constitute a backdoor,” said forensics expert and iOS researcher Jonathan Zdziarski.
The Electronic Frontier Foundation calls the claims wrong and said WhatsApp is being blamed for a feature that all end-to-end encrypted messaging systems have to contend with–encryption key changes.
On Friday, The Guardian quoted research by Tobias Boelter, a cryptography and security researcher, who said he discovered a backdoor in WhatsApp’s messaging service that could “allow Facebook and others to intercept and read encrypted messages.” But experts say what’s really going on is less backdoor snooping and more prosaic key change encryption management.
So what’s going on and why isn’t this a backdoor? First, an explainer on what a key change is within the context of WhatsApp.
When using WhatsApp, messages are encrypted via keys that verify the sender and recipient are who they say they are. But what happens when the recipient’s encryption key changes? The WhatsApp client generates a new key. This happens when the app is reinstalled, someone buys a new phone or when a phone number changes on a device, according to WhatsApp. When the recipient’s key changes, the sender’s encrypted message sits in limbo waiting to be delivered. Once a new key has been generated by the new device, the message can attempt to be resent.
When the message is resent and then received, the sender is notified of the recipient’s key change. The caveat here is, the sender is notified of the key change after the message is sent and only if a “key change notification” feature is turned on in the WhatsApp settings. (To turn on WhatsApp’s key change notifications, go to Settings/Account/Security and select “Show security notifications.”)
WhatsApp also offers an added layer of verification to make sure a sender and recipient’s digital keys are aligned. Using what’s called a “safety number” or “security code” feature (see below) both parties can visually check and verify they are both using the same security code.
Boelter said the key change process introduces an opportunity for a backdoor. He argues before the recipient generates a new key, the server, acting maliciously, could re-issue a key that WhatsApp controls without anyone knowing about it. That way anyone in control of the server can read the message. Boelter also proposes WhatsApp could make it appear that someone bought a new phone in order to lay the groundwork for this type of man-in-the-middle eavesdropping.
Encryption experts concede key changes on any platform is an imperfect process, but far from a backdoor vulnerability.
“This is something any public key cryptography system has to deal with. WhatsApp gives users the option to be notified when those changes occur,” explains Moxie Marlinspike, the founder of Open Whisper Systems and the Signal protocol, which WhatsApp’s encryption uses.
“The fact that WhatsApp handles key changes is not a ‘backdoor,’ it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system,” Marlinspike said.
He argues the only reasonable question to ask is whether WhatsApp’s key change notifications should be “blocking” or “non-blocking.” In other words, should WhatsApp just delete messages in transit versus hold them until a new key is generated by the recipient.
“When a contact’s key changes, should WhatsApp require the user to manually verify the new key before continuing, or should WhatsApp display an advisory notification and continue without blocking the user?” Marlinspike asks. “Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate.”
The EFF said there is no backdoor or anything insecure about WhatsApp. “We are still a long way from building the perfect usable and secure messaging application, and WhatsApp, like all such applications, has to make tradeoffs,” wrote Joseph Bonneau, staff fellow and Erica Portnoy, staff technologist with the EFF.
Zdziarski agrees, also calling the way WhatsApp configured its client a compromise between security and usability.
Other secure messaging apps such as Telegram and Signal handle key changes in different ways. Signal, the messaging service offered by Open Whisper Systems, gives users more options when a key change occurs, erring on the side of “blocking” messages.
“Signal users are willing to tolerate lower reliability for more security. As anybody who’s used Signal extensively can probably attest, these types of edge cases add up and overall the app can seem less reliable,” Bonneau and Portnoy wrote.
The EFF points out that WhatsApp had to make a decision to configure its client with default settings meant to favor usability and message reliability or risk confusing its 1 billion users. Security conscious WhatsApp users can tweak settings and ratchet-up security at their own discretion.
“WhatsApp is not competing with Signal in the marketplace, but it does compete with many apps that are not end-to-end encrypted by default and don’t have to make these security trade-offs, like Hangouts, Allo, or Facebook Messenger… We applaud WhatsApp for giving end-to-end encryption to everyone whether they know it’s there or not,” Bonneau and Potnoy wrote.
Zdziarski agrees adding, “In my opinion, this was a bad engineering decision (blocking versus non-blocking), but that does not a backdoor make.”