A serious vulnerability is discovered in Whatsapp’s end-to-end encryption that allows allow Facebook and others to intercept and read encrypted messages. The reason for the flaw is improper encryption key management and there are further details on the story here. Here to comments on this story is security experts from ZoneFox, RES, Venafi, ZoneFox, RES, Thales e-Security, Varonis, Echoworx, AlienVault, ESET, Digital Guardian and Positive Technologies.
Dr. Jamie Graves, CEO, ZoneFox:
In the digital age we live in, one should always assume nothing is secure. In this case, not even WhatsApp – which took considerable steps to promote the fact its messaging software was protected to the hilt from any infiltration.
“While a lot of the focus of this latest revelation will be on the personal implications for billions of WhatsApp users, businesses should also be extremely concerned. In today’s world, many work related topics – often highly sensitive and at the highest levels are shared on the platform. It now appears there has been a host of information available to anyone with the know how to get hold of it, we can only ponder as to whether any breaches have taken place and if they have what levels of sensitive data have been taken. Furthermore, the advent and soaring popularity of WhatsApp desktop, now means millions of employees actually use the software on company devices, providing a potentially open gate to highly sensitive company servers and information.
This vulnerability must serve as a severe warning to businesses to be as vigilant as possible and pay close attention to the security dangers that lurk in the least obvious places, within their organisation.”
Jason Allaway, VP of UK & Ireland, RES:
The issue with this weakness is clear when Whatsapp is used within a business setting. In many organisations it acts as a shadow IT application – one not officially sanctioned or vetted by the organisation, but still used by staff – even perhaps the CEO. Many coworkers use the application on both desktop and mobile to quickly get in touch with each other and discuss issues that need urgently attending to. It’s not those pictures of your cousin’s birthday party that potential threats are interested in, but those rough financial figures you wanted to double check with accounts makes for very interesting reading.
A combination of security, self-service and automation needs to be employed by forward-thinking organisations to give their employees comparative alternatives to Whatsapp – alternatives that can be checked, approved and easily served to workers that want speedy, secure communication.
Commenting on this, David Gibson, VP of strategy and market development at Varonis, said “We laugh when high profile individuals like President-Elect Trump say we should communicate sensitive data with paper and pen, but in an age of daily data breaches, consumers need to assume their communications won’t remain private for long. Even with applications like WhatsApp that claim no one can snoop on their users’ communications may open themselves up to vulnerabilities through inadvertent or purpose built backdoors. Constant vigilance is the name of the game for consumers and for brands like Facebook to protect the best interests of their customers.
Jacob Ginsberg, Senior Director, Echoworx:
Whatsapp has been instrumental in ‘consumerising’ encryption to educate the public about the improper attempts from governments and law enforcements to weaken the technology and snoop on our conversations in the interest of national security. But it would appear its promise of fast, reliable and secure communication is not as authentic as first thought. Having a security backdoor that forces the generation of new encryption keys is bad enough. But not making the recipient aware of this change is highly unethical. It calls into question the security, privacy and credibility of the entire service and the business. The fact that Facebook has known about this vulnerability since April is doubly damming. Not only could this be seen by many as supporting on-going government data collection interventions, it means their talk of encryption and privacy has been nothing more than lip service. The company needs to actively address its security measures.
These revelations add to the severe lack of clarity around encryption backdoors, most recently brought about by the IP Bill. While we know consumers are willing to trade their personal information for access to seemingly free services such as WhatsApp, now is the time to ask the question “at what cost to personal privacy?” and start taking privacy more seriously.
Thomas Fischer, Threat Researcher and Security Advocate, Digital Guardian:
The WhatsApp encryption protocol is based on Open Whisper Systems’ signal protocol. This protocol was developed with security in mind: it uses end-to-end encryption, where only the recipient and sender have the keys to unlock their messages. In theory, this is very secure – but only if the protocol is implemented correctly. And here is where the most of the issues around encryption reside.
“You need both secure development protocols and some kind of oversight to make sure that encryption APIs and solutions like Signal, AES, or PKI are properly implemented. If they’re not, companies make themselves far more vulnerable to Man In The Middle attacks. It’s not clear whether Facebook (as owner of WhatsApp) intentionally left the backdoor “unlocked” – perhaps in order to avoid legal issues in countries they do business with – or whether this was an error.”
Jon Geater, CTO, Thales e-Security:
These claims aren’t nearly as concerning as they first appear. Indeed, there is almost no hack here. One might argue that WhatsApp has elected to provide an insecure default configuration but the tools are there to close the gap.
“Users who care about the authorities intercepting their messages are quite likely to turn on security notifications, and then the problem is almost entirely diminished. For relatively normal users in a relatively normal situation that’s all it takes to know if you are being intercepted.
“In the case of dissidents or other vulnerable people with a real reason to distrust central authorities then more elaborate operational security practices and communications protocols are needed. Just as in-band code words or signals can be used to indicate that the person you are talking to is under duress, an understanding of the way WhatsApp implements Signal would mean you would also agree a way to understand that a user really has changed their device rather than the government intercepting your communications.
“This may not be entirely convenient but serious complex problems often call for serious complex answers. As with any technology, if you’re going to trust your life to it, it’s probably best to read the manual first and find out where the limitations are.
“There is almost no problem here – it’s just another example of how a single technology is not the magic that makes all your problems go away. You still have to choose the right tools for the job and use them correctly.
Mark James, IT Security Specialist, ESET:
Not everyone will use WhatsApp because it has end-to-end encryption, some will use it because that’s what their other social contacts use and they will want to communicate or be available. But for some, the choice of what we use is strongly governed by its ability to encrypt or protect our data. One of the biggest problems for all these apps is that we have to believe that what the supplier states is true, after all most don’t understand what end-to-end encryption actually means, just that it’s safer to use it if you don’t want someone else reading or accessing your private data. If WhatsApp state “When end-to-end encrypted, your messages and calls are secured so only you and the person you’re communicating with can read or listen to them, and nobody in between, not even WhatsApp” then that should be the case, 100% of the time, not sometimes or mostly. Could governments read your private messages sent through WhatsApp? Yes, in certain conditions they could have access to that information, it all boils down to what you use WhatsApp for. If you use it because the end-to-end encryption will keep your messages safe from “anyone” reading them at any time then you should choose another product that can guarantee that 100% of the time. If not then continue using it but be aware that it’s not totally private as you thought.
Kevin Bocek, Chief Cybersecurity Strategist, Venafi:
The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming. This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private. This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed. This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide.
Javvad Malik, Security Advocate, AlienVault:
Any vulnerability in end-to-end encryption can be exploited by several actors including government agencies. It’s near impossible to have a vulnerability that is only exploitable by only a subset of attackers – therefore, it is in everyone’s best interest that systems are designed and implemented as securely as possible.”
Alex Mathews, Lead Security Evangelist EMEA, Positive Technologies:
If WhatsApp hides such a security hole behind the ‘feature’ mask, this is a bad policy for a popular public service. But should you actually care?
“Don’t think that your WhatsApp conversations were safe and totally private without the backdoor. Even if a developer or manufacturer refuses to give access to state agencies, they can still get it using zero-day vulnerability exploits, as was proven with Firefox vulnerabilities for TOR user de-anonymisation or zero-day exploits to unlock iPhones.
“If you are really concerned about privacy, if you need to keep commercial or state secrets – why are you even using WhatsApp (or any 3d-party application) for messaging?
“It is said that WhatsApp applies end-to-end encryption. But in fact, real end-to-end encryption is when my encryption key is known to me and my recipient only, when I can change that key or block it. But with WhatsApp, what do we really know about those keys? Only the things WhatsApp tell us…
“Besides, WhatApp servers can upload all the messages from your phone (you can see that feature in the web version of WhatsApp). Since most web hosting companies provide the required data to law enforcement, the feds can use this web-archiving feature anytime. No need for a backdoor, ever again!”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
