“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys”
Tobias Boelter, a cryptography researcher at the University of California in an interview with the Guardian
Friday the 13th came and went, but I have so really scary news for you; WhatsApp is not secure.
So says the Guardian newspaper, in a shocking expose that has me worried. The Guardian Newspaper in their report claims that there is a backdoor exist in WhatsApp’s E2EE (End-to-End Encryption) scheme as described in Why Viber and WhatsApp going E2EE as Telecom Providers need encryption.
This as WhatsApp can generate a set of extra encryption keys aside from the Public Key and the Private Key generate by the recipient and then send them to a third party, allowing them access to your encrypted conversations. The Guardian Newspaper quoted Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights as saying the following, quote: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform”.
This means that WhatsApp messages could be read by interested third-parties such as the US Government, specifically the NSA (National Security Agency) and their British counterpart, the GCHQ (Government Communications Headquarters).
Interestingly, Tobias Boelter, a cryptography researcher at the University of California, had reported the vulnerability some six (6) months ago to Facebook in April 2016. They basically did nothing even as they launched their questionable opt-in E2EE for Facebook Messenger as noted in Facebook Messenger’s Opt-in E2EE raises Privacy Concerns.
This duplication of keys, as in real life, naturally happens in the case where people have their phone stolen and the thief continue use their old SIM, when your switch to a new smartphone using the same WhatsApp or when you re-install WhatsApp as pointed out by WhatsApp, quote: “We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp…. In these situations, we want to make sure people’s messages are delivered, not lost in transit”.
But the fact that the backdoor exists to generate an extra pair of keys for parties unknown means that WhatsApp and Messenger may both be unsecure. Your Private conversations may not be private after all….and that’s scarier than Friday the 13th!