Friday the 13th is always a day that superstitious people look to find bad news tied to random events or actions, like a black cat crossing their path or breaking a mirror. However on some occasions, bad news can also break on such an “unlucky” day.
Today, marks one of those occasions as The Guardian broke a story entitled WhatsApp backdoor allows snooping on encrypted messages. The story focuses on a reported security backdoor from researcher Tobias Boelter.
According to the exclusive in the Guardian:
WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.
— Kaspersky Lab (@kaspersky) January 11, 2017
The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.
It's ridiculous that this is presented as a backdoor. If you don't verify keys, authenticity of keys is not guaranteed. Well known fact.
— Frederic Jacobs (@FredericJacobs) January 13, 2017
While there are conflicts around whether this is a true bug or feature, the fact remains that this is something that users of WhatsApp can fix themselves. To do this, users need to do the following:
Android: Press Account, then Security, and then click on Show security notifications.
iOS: Click the cog in lower right, then press Account → Security → Show security notifications.
If you receive the security alert below (iOS screenshot), and you are having a sensitive conversation and want to be sureno one is evesdropping, the best way is to wait until the user comes back online and you can confirm and enable the end-to-end encryption back.
As we mentioned in our Private Messenger post, these messengers and the notion of true privacy are quite complex. We urge you to make sure that you keep an eye on the security settings to keep your data safe. We will also provide you tips on privacy and security on Kaspersky Daily multiple times per week, so be sure to tune in.