WhatsApp security missing: Gap in end-to-end encryption

Whatsapp security is not as secure, as was previously thought.

With the introduction of the end-to-end encryption, all WhatsApp users were happy about the new WhatsApp security. Since the introduction of the encryption, chats were completely confidential and could only be read by the chat partner. Supposedly!

But now, a security breach has become apparent. Read on to find out how secure your private chats and what the security gap means for you.

This vulnerability ensures that the WhatsApp parent company Facebook can read the messages of it’s users. But not just the Facebook Group. Also authorities could potentially spy on your private messages according to a report The Guardian. WhatsApp itself emphasises the security of end-to-end encryption on its website. But what exactly is behind it and what does it mean for you and your messages?

Gap in WhatsApp Security

In the gap in WhatsApp security is an incorrect implementation of signal encryption technology. The security researcher Tobias Boelter had already discovered the error in April 2016. But so far, Facebook saw no need to eliminate the error. However, the problem is not the signal-triggering process, but the way WhatsApp uses the encryption technology.

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications. These are secure and cannot be intercepted by a middleman. The Signal protocol relies on end-to-end encryption. It is based on two keys: the receiver de-crypts the incoming messages. The second key, which is publicly known, is used to encrypt the message. This means that third parties can not read the communication in plain text. But this is not true in all cases. If one of the chat partners is offline, the app generates a new key to re-send the message later. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users messages.

Facebook can read through security holes

With this, WhatsApp wants to prevent messages from being lost during a mobile phone exchange or SIM card exchange. But it is precisely these messages that can be read by Facebook. According to Boelter, this applies to whole conversations in which such a message is located. It is questionable however, whether WhatsApp and Facebook’s vulnerability consciously accepts it as a backdoor or designed to benefit you as a user. According to Boelter, the security gap is a classic backdoor. It allows the operator of a service to leverage its own security mechanisms. A WhatsApp spokesman explains: “WhatsApp does not give governments any back-door access to its systems. They would fight against any government requirement to create a back-door.”

What about WhatsApp security from now on?

And now? What happens with the WhatsApp security going forward? As users, it is not possible to hold back your messages when the recipient’s key changes. This is technically not possible. But you can get information about key changes. This is under “Settings – Account – Security”. If you activate the “Show security notifications” option, you will receive a message when the security number has been changed. Facebook as a parent company sees no reason to change it’s approach. This is simply a feature that should prevent people from losing millions of messages, according to WhatsApp.