WhatsApp has picked up in 2017 where it finished in 2016 fighting another potential PR disaster as researchers claim there is a security backdoor to its encryption.
The encryption used by the messaging platform has been one of the more prominent marketing messages put forward by the team, though the University of California’s Cryptography and Security Researcher Tobias Boelter claims to have found a backdoor, according to the Guardian. Boelter believes the company can in fact read messages sent on the platform through a backdoor written into the software, and this could potentially be exploited by others also.
WhatsApp has long capitalized on the security-conscious using the end-to-end encryption features as one of its main features, even explicitly stating the degree of privacy on its website:
“This end-to-end encryption protocol is designed to prevent third parties and WhatsApp from having plaintext access to messages or calls. What’s more, even if encryption keys from a user’s device are ever physically compromised, they cannot be used to go back in time to decrypt previously transmitted messages.”
Boelter claims WhatsApp has the ability force the generation of new encryption keys for offline users, by making the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The sender is not made aware of this, and the recipient only is if they have opted-in to encryption warnings in settings. During this process allows WhatsApp to intercept and read users’ messages, negating the value of end-to-end encryption.
This ‘fault’ doesn’t appear to be down to the software, which was developed by Open Whisper Systems, but due to the way it has been implemented by the WhatsApp team. When a user is offline, the message is automatically resent which generates the new encryption key and thus the back door. Boelter informed parent company Facebook of the flaw, but was told it wasn’t being actively worked on. The Guardian has since confirmed the backdoor is still open, and have had the claims verified by other experts in the field.
Overall, the report will not be welcomed by the WhatsApp team, many of whom have been fighting PR battles for months following the announcement it would be sharing its data with parent company Facebook. Those activities managed to turn many consumers, privacy advocates and governments around the world against the brand, and they are still going after the WhatsApp team has been accused of using creative language to disguise the fact it is continuing the data sharing policy.
Many of the WhatsApp team would have returned to the office this January hoping the PR firefighting days would be relegated to 2016, though it would appear it is just a case of business as usual with this latest revelation.