WhatsApp has been trying to improve its stance as far as privacy and security go since last year, when the messaging service introduced end to end encryption. Unfortunately, it turns out that WhatsApp’s encryption isn’t keeping messages as secure as one would hope. Several months back, security researchers discovered a backdoor in WhatsApp’s encryption, leaving messages vulnerable to interception. The messaging service was notified but has not patched it at all.
Security researcher Tobias Boelter was the first to make the vulnerability public, after notifying WhatsApp and giving them ample time to come up with a patch.
WhatsApp uses the Signal protocol to generate unique security keys for its encryption. However, the company also has a way to force the generation of new encryption keys for undelivered messages without the knowledge of the sender. Generating new keys will automatically try to resend the messages, which then could allow the company to intercept them to read, or to theoretically hand off access to other agencies.
This method has since been commented on by Facebook, who say that forcing new encryption keys is there to help stop messages being lost in transit:
“Last year, we gave all our users a better level of security by making every message, photo, video, file and call end-to-end encrypted by default. In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
It doesn’t really address all of the concerns raised by security researchers, but from the sounds of it, Facebook won’t be making any changes.
KitGuru Says: In reality, this won’t really affect many people and most people don’t really have any reason to worry. However, if you happen to be super conscious about privacy and security, then you may want to look into these vulnerabilities a little more.