At a time when WhatsApp faced lawsuits in Brazil and even had its use blocked by justice, we talked about breaking end-to-end encryption possible, but under very specific conditions. Now, a survey in April 2016 has reported that there is a security backdoor on WhatsApp, allowing user conversations to be intercepted by Facebook, the messenger owner, as well as government agencies.
You or me, ordinary WhatsApp users, may not even feel the effects and severity of this discovery. However, we should not be pleased to know that a service whose advertising based on the safety and privacy of users may be misleading us.
According to Tobias Boelter, University of California encryption and security researcher, Facebook can read the messages users send due to the way WhatsApp's end-to-end encryption protocol is being used. Thus, due to a change in the encryption key sent to the user, WhatsApp could instead deliver the message content to justice or government agencies, for example.
The encryption system security protocol used by WhatsApp is Signal, developed by the Open Whisper System. In this service is based on the generation of unique security keys. Thus, only the users involved in a conversation carry the code of these keys and only they can decode the content of the conversations, as only they have the key to access them.
However, according to Boelter's study, WhatsApp would have the ability to force the generation of new encryption keys for offline users without necessarily being aware of the sender or recipient. (Remember when you switched phones or had to reinstall the WhatsApp app, at this time you are considered "offline" for the service). This is where the vulnerability of this system lies.
In this key change process, WhatsApp would now have access to the conversations, and could in principle read these messages if you wish. However, it is clear that the problem is not in the protocol used by WhatsApp, but in the way it is being used by the company.
If Signal were used as designed, when the recipient went offline during the conversation, the service would simply warn that the message could not be delivered, forcing the sender to rewrite it and send it back to the contact when he was online. .
However, in WhatsApp, this is an automatic process, and you and your contact will only know that this has happened if you enable the "Show security notifications" option (Settings> Account> Security). Therefore, the app can warn the user when their security key is changed, but I need to enable this alert in the app settings.
WhatsApp denies breach in encryption
In a statement to The guardian, the newspaper that published the study content, WhatsApp said it knew about this and stressed that users could be notified of changes to the encryption protocol. "We know the most common reason for this to happen (the security key exchange) when a user changes their phone or reinstalls WhatsApp," the company spokesman said.
WhatsApp gives governments access
In contact with WhatsApp in Brazil, we received the following statement about the publication of the newspaper The guardian:
"The English newspaper The Guardian published in its issue today (13/1) a report stating that an intentional setting made in WhatsApp programming to prevent millions of users of the app from losing their messages could be used as a" backdoor "that would allow governments to force WhatsApp to decipher user conversations.
WhatsApp would not give governments access to their systems and would fight any government request for such access to be created. The configuration cited by the English newspaper report prevents millions of messages from our users from being lost and WhatsApp offers security notifications to people to alert them to possible security risks. WhatsApp has published a technical review of its encryption project and has been transparent about the government requests it has received, posting data on those requests in the Facebook Government Request Report.
According to the newspaper, Boelter had informed Facebook about the vulnerability in April 2016, but the company had said the problem was "expected behavior" and was not actively being addressed. The newspaper itself says it checked backdoor and said it still exists.
Finally, as I said above, perhaps the vast majority of WhatsApp's more than 1 billion users will not even take this issue seriously, but vulnerability poses a huge threat to free speech, and would mainly harm people who use the platform as a secure medium. communication in countries at war or in which there is no freedom of expression.
So a powerful tool for activists, dissidents and diplomats (as the English newspaper well remembers) may be putting them at risk. However, WhatsApp denies that this is happening.
. (tagsToTranslate) privacy on WhatsApp (t) whatsapp encryption