A Guardian report says WhatsApp and its parent Facebook could intercept user messages. Security experts aren't sure it's really a problem.
WhatsApp has faced extra scrutiny since deciding to share some user information with Facebook. But security experts say the latest criticism of the service has an easy fix.
Ever since WhatsApp announced in August it would share some user information with its parent company Facebook, privacy activists have left one eyebrow permanently arched in skepticism toward the secure messaging app.
Then, on Friday, the Guardian dropped a bombshell: WhatsApp, and potentially other parties like government agencies, may have access to WhatsApp messages thanks to a security backdoor in the app.
The promise of WhatsApp is that only you and your recipient can read the messages you send through the service. That means no copy of your messages sits on WhatsApp servers, where the company, its parent Facebook, or any government could access them. Even the information-sharing that WhatsApp announced in August is limited to the user's phone number and the last time he or she used the app.
So news that WhatsApp is designed with a loophole that could let the company access the message was damning. But security experts were quick to question the Guardian report, saying that WhatsApp comes with a built in way for users to close the loophole. What's more, Facebook flatly denies it has a backdoor into user communications.
Normally, WhatsApp users have unique digital keys that they swap with each other when sending messages -- that's what keeps others out. But if you hit send on a message while your recipient is offline, WhatsApp could theoretically jump in with a new encryption key and automatically resend the message with the new key, which the company would have a copy of. Then, WhatsApp could decrypt the message and read what it says. Senders and recipients would have no idea that someone else has a way into their message.
But there's a fix. WhatsApp users can opt in to find out when someone they're communicating with changes their encryption key. This change happens often enough, when users switch to a different device or SIM card. If you see that your contact has a new encryption key and you're worried someone might have forced the change to intercept your message, you can ask your contact if he switched devices, said John Geater, chief technology officer at Thales e-Security, a firm that helps companies manage their encryption keys.
A UC Berkeley PhD student in cryptography, Tobias Boelter, conducted the research that spurred the Guardian report. Boelter said WhatsApp could make one change to make the system more secure. The problem now, he says, is that WhatsApp automatically resends the message when the encryption key changes. The company should offer an option to users to stop that from happening. That way, if users suspected they were being eavesdropped on, they could prevent the message from being broadcast.
Also, he said, just because WhatsApp didn't design the process as a backdoor, doesn't mean it couldn't be used as one.
"It effectively allows WhatsApp to intercept messages," Boelter said. "Which is really bad."