WhatsApp is able to generate new encryption keys for offline users, and force the sender to re-encrypt and re-send messages using the new keys for any messages that haven’t been marked as delivered. By re-encrypting and re-broadcasting messages in this way WhatsApp is able to intercept them.
This security backdoor, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, means that WhatsApp can disclose its messaging records if asked to by a government agency.
Not only that, but recipients of messages won’t even have any clue that they’ve been intercepted, and senders will only be alerted to the change in encryption if they turn on security notifications from the settings screen.
A feature, not a fault
The backdoor should be easily fixable, as it’s not a core part of the Signal protocol that WhatsApp uses for its encryption, but a fix may not be incoming.
WhatsApp was alerted to the flaw in April 2016, but actually sees it as a feature, claiming that a contact’s security codes can change when a phone or SIM card is switched, or WhatsApp is re-installed, and the company wants to ensure messages are still delivered when that happens – which they wouldn’t be if the backdoor is plugged.
Handling things in this way ensures WhatsApp stays simple, but means it’s not as secure as you may have thought. If security is vital to you, consider switching to Signal – an app which uses the same encryption, minus the backdoor.
- Via The Guardian
Get daily insight, inspiration and deals in your inbox
Get the hottest deals available in your inbox plus news, reviews, opinion, analysis and more from the TechRadar team.
James is a freelance phones, tablets and wearables writer and sub-editor at TechRadar. He has a love for everything ‘smart’, from watches to lights, and can often be found arguing with AI assistants or drowning in the latest apps. James also contributes to 3G.co.uk, 4G.co.uk and 5G.co.uk and has written for T3, Digital Camera World, Clarity Media and others, with work on the web, in print and on TV.