The government, it turns out, could intercept WhatsApp texts if it wanted to, a new report revealed a few days ago. That’s even if Facebook’s most popular chat app is end-to-end encrypted. Some people have called this feature an encryption backdoor, while Facebook and WhatsApp have defended against such claims, saying that the vulnerability is actually a convenience feature for users.
Tobias Boelter, the person who figured out the WhatsApp hack, wrote an extensive piece in The Guardian in which he explains why the security issue should concern users, especially those people who’d be presumed targets of government surveillance.
The security issue (or feature) takes advantage of a few WhatsApp features.
First of all, when a message is sent but not delivered to the recipient (you see a single tick on your sent message), WhatsApp servers will hold onto the message until it can be delivered, regardless of what happens to the receiving account.
Secondly, if a person — let’s call him Jay — loses a smartphone, buys a new one, or changes SIMs, but wants to keep using the same WhatsApp account, the application will warn all Jay’s contacts that their friend has changed devices, and an in-person security check might be required to verify his identity.
Now, here’s where the backdoor/feature steps in. The messages sent by all of Jay’s friends via WhatsApp will still arrive — that’s when his friends will see two ticks under their sent messages, marking the fact that the messages have been sent.
Boelter explains that all the government has to do to spy on a specific friend of Jay’s — let’s call him Silent Bob — is to impersonate Jay’s phone using sophisticated equipment or by accessing WhatsApp’s servers. The government would then prevent the server from sending confirmation ticks to Silent Bob that his messages have been sent to Jay.
Jay, meanwhile, will not receive those messages, as they’re sent to the government’s devices. But Jay might soon realize that something is wrong with his WhatsApp app.
The gist is that Silent Bob will continue to send out messages to his friend, thinking that Jay has not seen the messages. The government would then collect that data.
The security researcher argues that Facebook and WhatsApp would have to retain all messages sent to an account that’s activated on a new device and prompt the senders to send them again if they want to do it. Even if it’s a hassle for the user, who sent those messages. In this case, Silent Bob’s messages that are in transit would need confirmation to be sent again to Jay.
In practice, the government would not be able to snoop on messages, see histories, and access other data in real-time. And it would have to be incredibly lucky to score insightful information this way.
Still, Boelter proved that WhatsApp’s end-to-end encryption can be fooled. A video showing the hack follows below, while Boelter extensive explanation is available over here.