Updated 14 January 2017 -----------------------
Today the Guardian reported that the Facebook owned application, WhatsApp contains a backdoor into its cryptographic end-to-end protocol. What this means, if true, is that your private conversations, may be encrypted as they pass through the internet, but not within the Facebook infrastructure.
When I saw Guardian’s tweet on the topic, I immediately requested they dig deeper.
— Christopher Burgess (@burgessct) January 13, 2017
It is important to understand the difference between poor security implementation and willful placement of a backdoor into the encryption code is significant. The former is easily correctable with a code adjustment or rewrite. The latter is a business decision and one which should cause your privacy flag to go from the normal cautionary yellow to a danger red. I’ll keep an eye out for the answer to my request of the Guardian.
1 Do not use WhatsApp for any conversations requiring the utmost privacy and security.
2 Set up an alert on the search engine of your choice on “WhatsApp” so as to monitor the resolution of this backdoor and identification of any future vulnerabilities.
3 Keep an eye on the WhatsApp security page for any changes or updates (as of 13 January 2017) we saw no reference to this backdoor issue.
UPDATE – 14 January 2017
WhatsApp/Facebook issued an explanation concerning the capability discussed in the Guardian piece and how the implementation is there by design, to ensure that users have continuity across their devices and not to allow “backdoor” access. According to Dark Reading, users must enable their security notifications to ensure that they are aware when the settings are updated by those with whom they are in contact. A specific excerpt:
Dissidents and those using WhatsApp in repressive countries might need to take additional precautions like using an out of band method to ensure that a user has really changed devices, he said.
Chris Perry, COO of Secured Communications says the most troubling aspect about the whole controversy is the lack of full disclosure by Facebook WhatsApp.
“When a company builds into its system a failsafe, such as this feature, there should be full disclosure to their customer base that it exists and how and why it would be activated,” Perry says in comments to Dark Reading.
As it is, only the sender is informed of the encryption key change and that too only if the sender has opted-in to the notification warning, he says. “There should be a warning notification for both sender and recipient that is default activated advising when they are no longer in a secure encrypted environment.”
— Graham Cluley (@gcluley) January 14, 2017