January 16, 2017 | Ed Johnson-Williams

Let's save 'backdoor' for the real thing

The Guardian reported on Friday last week that WhatsApp - owned by Facebook - has a “backdoor” that “allows snooping on encrypted messages”. The report was based on research by Tobias Boelter, published in April 2016. The Guardian has since changed the word "backdoor" in its article to "vulnerability" or "security vulnerability".

A few days before the Guardian article was published, the journalist contacted ORG for a quote. She couldn’t discuss the details of the alleged security flaw so we gave a generic quote about the importance of transparency from companies that offer end-to-end encryption and the dangers to encryption within the Investigatory Powers Act.

The vulnerability that was reported theoretically works like this. Say Ed is texting his dad on WhatsApp.

  1. Ed texts his dad on WhatsApp and his dad texts back - all good, happy families.
  2. Then Ed texts his dad again but his dad’s phone is off. Ed's message is still on Ed’s phone waiting to be sent.
  3. WhatsApp or somebody else with access to WhatsApp's servers registers Ed’s dad’s mobile number with WhatsApp on a different phone. This could be done by stealing Ed’s dad's SIM card or using vulnerabilities in the mobile phone network to re-route SMS confirmations.
  4. Ed's WhatsApp app now sees the number that used to be linked to his dad’s phone is active again and automatically re-sends the message.
  5. The new phone receives the message that Ed intended to send to his dad. The message never reaches Ed’s dad’s phone.
  6. Depending on whether a non-default setting is enabled, Ed may receive a notification saying that his dad’s security code has changed because he reinstalled WhatsApp or switched phones.

This means that somebody collaborating with WhatsApp could theoretically read a small number of messages. This is very unlikely though and would be very easy to detect. This is not a backdoor that WhatsApp can use for routine access to users’ messages. And unless an app forces you to verify encryption keys with someone before you can send and receive messages with them, and also whenever they change their phone, then this vulnerability is going to be present.

WhatsApp have made an intentional decision about usability. It means that - in the example given above - if Ed’s dad’s phone was off because it was broken, Ed’s dad could put his SIM card into a new phone and still receive the messages without anyone having to change anything.

It would be incredibly difficult for WhatsApp to use the vulnerability to read messages this way at scale without gaining a terrible reputation for not delivering messages. Lots of people would receive a notification saying that the security key of many of their intended recipients had changed. Messages would go missing. The risk to the company of actively tampering with someone's message stream is very high and would be very complicated to get right. And if you’re worried about law enforcement, they have other ways (such as hacking the phone) to target an individual WhatsApp user’s messages that would be cheaper, quicker, and more difficult for the target to detect.

Lots of people recommend Signal as an alternative to WhatsApp. Signal is a highly respected encrypted messaging app which is preferable to WhatsApp for many reasons. Unlike WhatsApp, Signal does not collect data about users and share that data with Facebook. Facebook’s business model is to collect as much data about people as possible to help sell advertising. And unlike WhatsApp, Signal’s code is open-source meaning it’s possible to verify that it’s working properly. Some people find Signal more difficult to use than WhatsApp.

But Signal are planning to use the same behaviour as WhatsApp that was reported as a backdoor in an attempt to make their app easier for people to use. As Matthew Green, Assistant Professor at Johns Hopkins University, said on Twitter in response to the Guardian’s article, “I wish we could put the word "backdoor" in a glass case and only bring it out when something is really deserving.”

It is a struggle to get people to use secure messaging tools. Facebook and WhatsApp’s business model leaves much to be desired and Signal does a lot more to respect the privacy of its users. But WhatsApp have been successful in getting millions of people to encrypt the contents of their messages end-to-end.

The UK’s Investigatory Powers Act has powers in it for the Government to serve companies with Technical Capability Notices for the “removal of electronic protection applied by a relevant operator” to force them to carry out hacking and intercept data for the Government.

There are big fights ahead on encryption and we have to remain vigilant to those. Let’s save the word “backdoor” for the real thing.

Update: I fixed point 3 to say that if's Ed's dad's SIM card were stolen, it could be used to re-register Ed's dad's WhatsApp account on a different phone. It used to say if 'Ed's SIM card' were stolen.


Comments (3)

  1. YoiAreSorelyMistaken:
    Jan 28, 2017 at 04:47 PM

    The whatsapp server could simply restore the original key after the retransmission interception. If you think the phone has to be off you have completely misunderstood the flaw, it goes through the WHATSAPP server, which will of course just release the original message after interception of the retransmission. Also, in case I had key notification on (no one does), where do I report the facts that my phone is acting up? In summary, do your homework. You are doing PR for Whatsapps owner. A little known company called Facebook, which is currently developing surveillance tools for China.

  2. YoiAreSorelyMistaken:
    Jan 28, 2017 at 04:56 PM

    This is rather embarrassing. Of course they would deliver the original message. It's a RE!! Transmission. Have you even read technical explanation on Tobias Boetlers blog, or in the Guardian followup?

  3. YoiAreSorelyMistaken:
    Jan 28, 2017 at 04:58 PM

    I can't believe you think they would throw away peoples messages while doing a MITM. Please go read the technical explanation in the Guardian followup



This thread has been closed from taking new comments.