At issue is the way app behaves when an end user’s encryption key changes.
The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook’s WhatsApp messaging service allows attackers to intercept and read encrypted messages. It’s not a backdoor—at least as that term is defined by most security experts. Most would probably agree it’s not even a vulnerability. Rather, it’s a limitation in what cryptography can do in an app that caters to more than 1 billion users.
At issue is the way WhatsApp behaves when an end user’s encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.
Critics of Friday’s Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.
Tobias Boelter, a Ph.D. candidate researching cryptography and security at the University of California at Berkeley, told the Guardian that the failure to obtain a sender’s explicit permission before using the new key challenged the often-repeated claim that not even WhatsApp or its owner Facebook can read encrypted messages sent through the service. He first reported the weakness to WhatsApp last April. In an interview on Friday, he stood by the backdoor characterization.
“At the time I discovered it, I thought it was not a big deal… and they will fix it,” he told Ars. “The fact that they still haven’t fixed it yet makes me wonder why.”
A tale of two encrypted messaging apps
Boelter went on to contrast the way WhatsApp handles new keys with the procedure used by Signal, a competing messaging app that uses the same encryption protocol. Signal allows a sender to verify a new key before using it. WhatsApp, on the other hand, by default trusts the new key with no notification—and even when that default is changed, it notifies the sender of the change only after the message is sent.
Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.
“The fact that WhatsApp handles key changes is not a ‘backdoor,'” he wrote in a blog post. “It is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.”
He went on to say that, while it’s true that Signal, by default, requires a sender to manually verify keys and WhatsApp does not, both approaches have potential security and performance drawbacks. For instance, many users don’t understand how to go about verifying a new key and may turn off encryption altogether if it prevents their messages from going through or generates error messages that aren’t easy to understand. Security-conscious users, meanwhile, can enable security notifications and rely on a “safety number” to verify new keys. He continued:
Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate. It provides transparent and cryptographically guaranteed confidence in the privacy of a user’s communication, along with a simple user experience. The choice to make these notifications “blocking” would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could MITM transparently and who it couldn’t; something that WhatsApp considered very carefully.
Even if others disagree about the details of the UX, under no circumstances is it reasonable to call this a “backdoor,” as key changes are immediately detected by the sender and can be verified.
In an interview, Marlinspike said Signal was in the process of moving away from strictly enforced blocking. He also said that WhatsApp takes strict precautions to prevent its servers from knowing which users have enabled security notifications, making it impossible for would-be attackers to target only those who have them turned off.
Boelter theorized that the lack of strict blocking could most easily be exploited by people who gain administrative control over WhatsApp servers, say by a government entity that obtains a court order. The attacker could then change the encryption key for a targeted phone number. By default, WhatsApp will use the imposter key to encrypt messages without ever warning the receiver of the crucial change. By making the targeted phone temporarily unavailable over the network for a period of hours or days, messages that were sent during that time will be stored in a queue. Once the phone became available again, the messages will be encrypted with the new attacker-controlled key.
Of course, there are some notable drawbacks that make such an attack scenario highly problematic from the standpoint of most attackers. For the attack to work well, it would require control of a WhatsApp server, which is something most people would consider extraordinarily difficult to do. Absent control over a WhatsApp server, an attack would require abusing something like the SS7 routing protocol for cellular networks to intercept SMS messages. But even then, the attacker who wanted to acquire more than a single message would have to figure out a way to make the targeted phone unavailable over the network before impersonating it. What’s more, it wouldn’t be hard for the sender to eventually learn of the interception, and that’s often a deal-breaker in many government surveillance cases. Last, the attack wouldn’t work against encrypted messages stored on a seized phone.
In a statement, WhatsApp officials wrote:
WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.
Ultimately, there’s little evidence of a vulnerability and certainly none of a backdoor—which is usually defined as secret functionality for defeating security measures. WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.