WhatsApp With That: One Says Backdoor, the Other Says Feature
WhatsApp was under the limelight this week with news that they have allowed government backdoor access.
Let’s start by saying that WhatsApp is a highly attractive target by all actors - state and crime - because for many people it replaces the phone’s native chat application, as well as used for calls. WhatsApp contains a lot of personal information, from simple texts to photos and voice calls. In fact, in August 2016 it was found that a state-grade RAT installed on the iPhone of a recognized human rights defender had the ability to record the individual’s WhatsApp communications.
The vulnerability just recently exposed, https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/, lies in WhatsApp’s encryption protocol. The root of the issue stems in the encryption implementation during the phone registration. An attacker can register the phone under the name of the victim and access unread chats of the victim. This happens because the messages will be re-encrypted with the attacker's key and sent to the attacker.
According to Facebook, this issue isn’t a vulnerability, but rather a feature. This feature argument can make sense from a usability perspective. After all, if one replaced their SIM card of phone, they would expect to receive those messages that were sent to them while being offline.
Setting usability aside, and looking at the issue from a security perspective, this is a security vulnerability. Although we have to admit that if this issue is indeed a backdoor, it is quite a weak one. To begin with, the attack is quite “random” whereas the attacker only has access to the victim’s unread chats. One would expect a backdoor to be capable of retrieving all conversation and breaking the encryption entirely. Furthermore, the attack requires the victim to be offline which further reduces the strength of such a backdoor. It is also important to note that there is a configuration option on the sender’s side which allows receiving a warning message when the recipient’s phone is re-registered, thus exposing such a hack.
That said, to ensure usability and still allow security we suggest that the WhatsApp default should be to notify the sender that the recipient had re-registered the phone and ask the sender whether to send or discard those unread messages.