WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages
Most people believe that end-to-end encryption is the ultimate way to protect your secret communication from snooping, and it does, but it can be intercepted if not implemented correctly.
After introducing "
end-to-end encryption by default" last year, WhatsApp has become the world's largest secure messaging platform with over a billion users worldwide.
But if you think your conversations are completely secure in a way that no one, not even Facebook, the company that owned WhatsApp, can intercept your messages then you are highly mistaken, just like most of us.
Here's the kick:End-to-end encrypted messaging service, such as WhatsApp and
Telegram, contain a backdoor that can be used, if necessary, by the company and of course hackers, or the intelligence agencies to intercept and read your end-to-end encrypted messages, and that’s all without breaking the encryption.
And that backdoor is —
TRUST.
No doubt most of the encrypted messaging services generate and store private encryption key offline on your device and only broadcast the public key to other users through the company's server.
Like, In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping on your encrypted private communication.
Tobias Boelter, security researcher from the University of California, has
reportedthat WhatsApp's end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background. YES, that's possible.
Note that this backdoor has nothing to do with the Signal encryption protocol, created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly.
“WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.” The Guardian reports.
However, users can receive notifications when security codes change, only if "
security notifications" option has been turned ON manually from the app settings.
Boelter told the Guardian that he reported the backdoor to Facebook in April 2016 -- the time when WhatsApp implemented end-to-end encryption by default in its messaging app.
However, the researcher was told in reply that Facebook was already aware of the issue and justified it as an "
expected behavior."
And Yeah, the backdoor still exists in WhatsApp.
To prevent the possibility of MITM attacks, WhatsApp also offers a third security layer in its app using which you can
verify the keysof other users with whom you are communicating, either by scanning a QR code (
drawback: physical presence required) or by comparing a 60-digit number by another way of communication.
"Security codes are just visible versions of the special key shared between you - and don't worry, it's not the actual key itself, that's always kept secret."
However, this option is useful only when you are actively looking to verify the authenticity of session keys and, we know, only one privacy-conscious paranoid user in thousands would do that.
Oh! You must be thinking — Which secure messaging service then offers protection against such broken trust and interception?
There are several alternatives, such as "
Signal Private Messenger", itself, developed by Open Whisper Systems and it's most recommended secure message app.
from The Hacker News http://ift.tt/2ikRZHY