WhatsApp encryption vulnerability allows messages to be intercepted

A WhatsApp encryption vulnerability may enable messages sent using the service to be intercepted, a security expert has revealed.

Tobias Boelter, a researcher at the University of California, found an issue that allows the way data is encrypted to be changed without users' consent, according to The Guardian.

He said WhatsApp can force the generation of new encryption keys for offline users, meaning the sender must re-encrypt undelivered messages with new keys and send them again.

The sender is only notified that this has happened after the messages are resent if they have encryption warnings turned on, and the recipient is not notified.

This means that if the recipient is offline when a message is sent, an attacker who can register the receiving number with the WhatsApp server can read the resent, re-encrypted message.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys," Boelter told The Guardian.

He said he told Facebook about the issue in April 2016, but was told that it is not currently being worked on because it was "expected behaviour" for the app.

“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming," said Kevin Bocek, chief cyber security strategist at security firm Venafi.

"This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private.

"This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed.

"This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide."

A WhatsApp spokesperson said the change of keys most commonly happens when a user gets a new phone or reinstalls the WhatsApp messaging app.

"This is because in many parts of the world, people frequently change devices and SIM cards," it told The Guardian. "In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Users can turn on WhatsApp security notifications in Settings > Account > Security.

For more on the vulnerability, see Boelter's blog post from April 2016.

Photo © Jan Persiel (CC BY-SA 2.0). Cropped.