Update (13:30 IST): Open Whisper Systems, whose Signal protocol is used in WhatsApp, has claimed that the “secret backdoor” story is not true. The ability to change the security keys for undelivered messages reduces users’ burden in case the recipient’s keys change during the course of message transfer, i.e., if he reinstalls WhatsApp on his phone. Otherwise, the user would have to verify the keys manually and it will be troublesome.
The encryption status can be verified by scanning the unique WhatsApp security number present in the contacts info screen. As mentioned earlier, the users have the ease of being notified in case the security key changes take place. Also, WhatsApp doesn’t know if a user scans the security number or receives a key change notification.
You can read the complete statement in the blog post by Open Whisper Systems
Short Bytes: According to a UC Berkeley-based security researcher Tobias Boelter, there is a loophole (backdoor) present in the end-to-end encryption system of the instant messaging app WhatsApp. The backdoor allows WhatsApp (Facebook) to change the encryption security key for undelivered encrypted messages and read them.Facebook-owned WhatsApp proudly taps their back in front of the customers on the fact that they’ve enabled end-to-end encryption for all the messages and calls made through the instant messaging app. They say no one, except the sender and the receiver, of the message can read it. But their claims appear to be incompletely true after The Guardian reported about a new research done by UC Berkeley researcher Tobias Boelter.
According to Boelter, Whatsapp’s encryption system has a loophole (or a backdoor) that allows Facebook and friends to access the “encrypted” messages. To enable encryption, a unique cryptographic key exchange takes place between the sender and receiver. The key encrypts or decrypts the messages.
The research throws light on the fact that Facebook (via WhatsApp) can change the cryptographic key for any undelivered message – when the app is not connected to the internet – which in turn allows them to read it. “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told The Guardian.
Boelter informed Facebook about the issue in April last year, but the company was already aware of the same in advance and wasn’t interested in fixing it. The loophole (backdoor) still exists and there is no way for the user to prevent it. However, there is a feature in WhatsApp that notifies the user if the encryption key changed. It can be found in Settings>Account>Security>”Show security notifications”.
After initially hesitating for a comment, WhatsApp later said in a statement they don’t help the government with any “backdoor” and they would resist if they are asked to create one.
Note: To include Open Whisper Systems’ statement, the title and the content of this article have been changed. The previous title was “WhatsApp Has Message Encryption, Still, They Created A “Secret Backdoor”.”
What are your views on this? Drop your thoughts in the comments.