Are WhatsApp Group Chats Vulnerable to Spying despite End-to-End Encryption?
End-to-End Encryption turned out to be one of the best strategies employed by WhatsApp to retain its existing users. This was around the time, people realised that their conversations are not private but subject to mass surveillance.
Everyone was on a lookout for other Instant Messaging apps that offered them a secure place to have private conversations. As a result, WhatsApp users began slipping off to other Instant Messaging applications in quest of privacy.
To keep up the race against apps such as Google Allo, Telegram and Signal that guaranteed secure digital communication, WhatsApp introduced End-to-End encryption just like its counterparts.
What is End-to-End Encryption? Here’s what WhatsApp says:
When WhatsApp introduced end-to-end encryption, it did a significant job at ensuring security and privacy. Its users were happy with the fact that their conversations are finally private and not subject to unauthorised spying and eavesdropping.
The app is particularly popular among groups of friends, family, co-workers and students. And, WhatsApp was the first choice for having group conversations for most people.
End-to-End encryption on WhatsApp worked perfectly well for private conversations between two people and for groups it was merrier.
So, for families it meant that their pictures were safe.
For friends, it meant that their inside jokes stayed on the inside, unless of course if one of them shared screenshots.
For students, it meant safe homework sharing and private discussions on collaborative group work.
However, research revealed a massive security flaw in End-to-End encryption for group chat settings.
According to a recent study by Rösler, Mainka and Schwenk, there is a significant gap in WhatsApp security for group conversations. The team of cryptographers designed a security model that was able to determine vulnerability in WhatsApp’s security layer.
WhatsApp’s end-to-end encryption is based on the Signal Protocol, designed by Open Whisper Systems. As a result, end-to-end encryption occurs over the Application layer that protects the content of messages in a group chat.
However, changes to the group take place over the Transport layer.
This means that the information regarding changes to the group such as, adding a new member or removing an existing one, is not end-to-end encrypted.
The Secret Backdoor
On WhatsApp, modifications to the group can only be made by group administrators. The group modification messages thus generated by administrators are sent to the server over the transport layer. Since, there is no end-to-end encryption over the transport layer, it serves as a secret backdoor.
The researchers thus state that anyone with access to the server such as staff or government officials can add new members to a private group without permission of its admin members.
Upon addition, a secret spy added from the server end, gets access to the keys shared by the phone of every member on the group and can now read all the decrypted messages.
What are keys?
“End-to-End encryption relies on the generation of unique security keys using the acclaimed Signal protocol, developed by Open Whisper Systems. Keys are exchanged between users to guarantee communications are secure from interception by middlemen.” — The Guardian
What’s worse? The Spy/Eavesdropper can record all the ongoing and future messages on the group.
WhatsApp’s Response:
In a phone conversation with Wired, WhatsApp confirmed that the above was true but only in the rare case that their server was compromised.
WhatsApp also stated that they have additional security measures already in place if the above takes place.
Alex Stamos, the Chief Security Officer at Facebook tweeted:
This means in the rare case that their servers were hacked, or someone on the inside added an infiltrator or an unknown spy. It cannot go unnoticed since WhatsApp alerts every member of the group through its instant notification feature about the latest addition.
Luckily for us, the notifications are in place. However, in groups of up to a hundred members and several admins, it could still go unnoticed unless the group is constantly monitored.
The researchers also argue that it’s possible to delay detection.
An attacker with control over WhatsApp’s server has access to the ongoing conversation and can use the server to selectively block messages in the group that notify members of its new entrant.
WhatsApp responded to this saying the group invite bug is just “theoretical” and does not qualify under their bug bounty program. It further claims that its security professionals constantly perform testing of the software for such flaws, says Wired.
Bottomline
WhatsApp which is now under Facebook has millions of servers situated in data centres across the globe. In reality, an attack that big is only possible when multiple servers across different geographic locations, all go down at the same time. That is only possible in theory. Moreover, it’s not an easy task to surpass complex security checks integrated by security experts at Facebook.
In terms of privacy concern and mass surveillance, it is already known that WhatsApp complies with law enforcement agencies upon request.
“WhatsApp appreciates the work that law enforcement agencies do to keep people safe around the world. We carefully review, validate and respond to law enforcement requests based on applicable law and policy, and we prioritize responses to emergency requests.” — WhatsApp
In a Forbes article by Thomas Brewster, the author studied court filings and cases where WhatsApp supplied information to law enforcement agencies. He found that WhatsApp provided metadata and sometimes direct data depending on the nature of case despite end-to-end encryption.
Metadata contains huge chunk of data such as contacts information and location that users have opted to provide WhatsApp.
However, the app’s officials told the Guardian:
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.”
Therefore, it is clear that although WhatsApp complies with law enforcement agencies, it does not directly allow anonymous spies to tap into WhatsApp group chats.