Why your WhatsApp messages and photos are not that private
Popular messaging service WhatsApp is in the eye of a storm following persistent revelations that its system of making messages unreadable to third parties is not as watertight as it makes users believe.
The latest disclosure was made on Friday by the Guardian, a British newspaper, which quoted experts saying there is a likelihood that messages sent on WhatsApp can be accessed by the chat provider’s servers especially when the recipient is not immediately available to read a message sent to them.
The paper said that given the desire by some governments to know what individuals are exchanging, the vulnerability could threaten people like dissidents, activists and diplomats who use the service knowing it is free from snooping.
But Facebook, WhatsApp’s parent company, and Open Whisper Systems, the provider of WhatsApp’s messaging security measures, have vehemently denied there being a problem, with the latter releasing a statement on Saturday saying those exposing the “vulnerability” do not understand the checks placed to ensure security of messages.
The problem, according to the Guardian, arises from a key-based system of accessing messages. When a person sends a message, WhatsApp’s servers assign the message a certain code (key) to make it unique and unreadable to anyone, a process called encryption.
That key works with another one that the server assigns to the recipient’s phone, meaning the message is a bundle of undecipherable codes until the person on the other end opens it.
This means the message goes from the sender to the recipient without even WhatsApp’s servers knowing what is in it.
However, questions are arising over what happens to the codes when the recipient is offline.
According to the publication, WhatsApp generates a new key for an offline reader when they log back into the messaging service, which means the message lingers on its servers and can thus be available for retrieving.
The Guardian reported: “The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: ‘If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.’”
The newspaper said Mr Boetler had reported the matter to Facebook in April 2016 but was told that “it was expected behaviour”.
Mr Kennedy Kachwanya, the chairman of the Bloggers Association of Kenya (Bake) and the owner of technology blogging site kachwanya.com, explained how the alleged vulnerability manifests itself.
“Once the messaging provider generates a key from the sender, if the receiver phone is not there at that point, the message doesn’t stay on the servers. That is if the signal encryption is implemented properly. What WhatsApp has done is to allow the message to linger around as they regenerate another key,” Mr Kachwanya told the Sunday Nation.
“What usually happens with encryption is that the message doesn’t stay in any of the servers. But in this case, the message stays.”
Mr Kachwanya explained that, however, there is no risk of hackers obtaining information exchanged between users.
“It is only Facebook that can give it to other people. Any other person will have to request it from them,” he said.
And Mr Rajeev Kumar, a senior trainer and certified ethical hacker at the Indian Institute of Hardware Technologies in Nairobi, said users have no control over the vulnerability.
“It is as if we created a message and handed over that message to your postman. Now because that message is encrypted and the postman knows the encryption method, he can decrypt and read your messages and after that he can forward that message to the end user by using another key. Users have no control over it,” he said in a statement to the Sunday Nation.
“The solution is either WhatsApp changes the security implementation method or WhatsApp users must stop sending any confidential messages over that channel, because it’s a public communication channel. For confidential messaging, other methods are available especially email with hash based signature method,” added Mr Kumar.
Asked what danger the alleged flaw posed, Mr Kumar said: “It is a risk not only to Kenya and Kenyans but it is a security risk for whole world as it relies on that messaging system.”
Open Whisper Systems, in a detailed explanation, denied there being any vulnerability in a blog post.
“The WhatsApp client [servers] have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a ‘double check mark’, it can no longer be asked to re-send that message. This prevents anyone who compromises the server from being able to selectively target previously delivered messages for re-encryption.