Messaging services like WhatsApp and Skype have become very popular for consumers and organizations. One of the key features of these services for customers is the ability to encrypt messages. Essentially, this means messages are blocked from being intercepted and read. However, a new report suggests messages sent via WhatsApp could be intercepted through a backdoor problem.
The Guardian has published a report that describes the vulnerability as a “backdoor” that was identified by security researcher Tobias Boelter. He discovered the problem in April 2016 and reported it to Facebook, the owner of WhatsApp.
Facebook's reply was somewhat surprising because the social network described the backdoor as expected behavior. In other words, the company does not see it as a problem. Now The Guardian as rechecked for the backdoor and verifies that it still exists.
As mentioned, end-to-end encryption is a much praised feature of messaging services. Indeed, back in October, Microsoft's Skype was criticized for lacking encryption, while WhatsApp and similar services were praised by Amnesty International.
WhatsApp rolled out its end-to-end encryption Signal Protocol last April. The service has been highly praised for maintaining the security of users and their messages. However, the service has kept the source code for the encryption closed, which means users just go on faith that their messages are locked.
The flaw identified by Boelter is within the Signal Protocol. Specifically, a part of the implementation allows the protocol to force new encryption keys for offline user. Boelter says this gives an ability for messages to be intercepted and opened.
Naturally, the company denies this is a problem. In fact, the company says this is a purposeful design decision that ensures messages do not get lost when a user is offline.
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a “backdoor” allowing governments to force WhatsApp to decrypt message streams. This claim is false,” said a company spokesperson in a statement sent to TechCrunch.
“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report,” it added.