January 13, 2017
By definition: “Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, ” either the backdoor is in encryption algorithm, a server or in an implementation, and doesn’t matter whether it has previously been used or not.
Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that “could allow” an attacker, and of course the company itself, to intercept your encrypted communication.
The story involving the world’s largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp.
Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited 🙂
What’s the Issue:
The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.
WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change.
In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding.
Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that “we were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing.”
What Experts argued:
According to some security experts — “It’s not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration.”
Open Whisper Systems says — “There is no WhatsApp backdoor,” “it is how cryptography works,” and the MITM attack “is endemic to public key cryptography, not just WhatsApp.”
A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — “The Guardian’s story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor.”
What’s the fact:
Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats.
What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed.
Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, “Even though we are the creators of the encryption protocol supposedly “backdoored” by WhatsApp, we were not asked for comment.”