WhatsApp denies leaving backdoor to snoop on communications
The developer WhatsApp, a popular communications tool that touts end-to-end encryption as one of its prime features, has denied deliberately leaving a backdoor for the government to snoop on users’ communications.
End-to-end encryption (E2EE) is a feature that prevents middlemen from eavesdropping on communications including the company transmitting the messages. Demand for the feature skyrocketed after Edward Snowden revealed to the public that the US and its allies were conducting mass electronic surveillance worldwide.
WhatsApp is one of the many applications that offers E2EE, having introduced it in November of 2014 using Open Whisper Systems’ acclaimed Signal protocol. Snowden himself has suggested the Signal app as a safe way to communicate.
However, the Guardian newspaper reported on Friday that WhatsApp has a backdoor that exposes its users to potential snooping. The vulnerability lies in the way the application handles a change of encryption key, which usually happens when one party in the exchange changes their device or sim-card, or reinstalls the app.
By default, the other user is not notified that the encryption key has been changed, although there is an option to turn such a notification on. Moreover, all messages that were sent while the recipient was offline are automatically re-encrypted with the new key and resent.
If a malicious party were to take control of a WhatsApp server, it could force a change in the encryption key and install itself as a relay point, intercepting and reading all messages in the process, meaning the re-encrypted, resent messages would be exposed immediately. Moreover, if the key change notifications were not turned on, there would be no way for the users to realize that they were being snooped on.