A recently discussed feature in WhatsApp, the messaging app used by more than 1 billion people worldwide, is not a backdoor. That’s the message from an open letter written by Turkish academic and commentator Zeynep Tufekci, and signed by around 30 cryptographers, security researchers, and other technical experts.
The letter comes after a much-castigated article in The Guardian from last week written by a freelance journalist, which interpreted an implementation of WhatsApp’s end-to-end encryption as a major security concern. The issue revolves around how WhatsApp generates new encryption keys for messages that cannot be immediately delivered, sometimes without warning the user; and how governments could force WhatsApp to take advantage of this alleged flaw in order to read some messages.
“The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning—even if after the fact),” the letter reads. “The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method.” When a security researcher highlighted the issue to Facebook in April 2016, the company said it was “expected behaviour,” according to The Guardian.
The letter’s signatories include Matthew Green, professor of cryptography at Johns Hopkins University who has previously written about a related issue with key verification in iMessage, Apple’s end-to-end encrypted message service. Cryptographer Bruce Schneier, security researcher Nicholas Weaver, and forensic scientist Jonathan Zdziarski also all signed the letter.
“You never should have reported on such a crucial issue without interviewing a wide range of experts,” the letter continues. “The vaccine metaphor is apt: you effectively ran a ‘vaccines can kill you’ story without interviewing doctors, and your defense seems to be, ‘but vaccines do kill people [through extremely rare side effects].’” The letter also recommends The Guardian retracts the story, and clarifies that the attack itself is very hard to accomplish.
Before the letter’s publication, The Guardian did change the headline of the piece to read vulnerability rather than backdoor. A Guardian spokesperson told Motherboard: “We are aware of Zeynep Tufekci’s open letter and have offered her the chance to write a response for The Guardian. This offer remains open and we continue to welcome debate.”
The most pressing claim from the letter is that the article has caused real damage.
“The story was carried in Turkey’s largest opposition newspaper, using your phrasing and paired with a statement by the head of Turkey’s internet administrative body—which oversees all the censorship and surveillance decisions—who quickly jumped to frame WhatsApp as unsafe. The message heard by activists, journalists and ordinary people around the world was clear: WhatsApp has a backdoor, it’s insecure, don’t use it,” the letter continues.
That is the worry: that people who could benefit from WhatsApp’s end-to-end encryption will perceive the app as totally unsafe and move to less secure options, such as SMS. (There is also the chance they will move onto options generally considered to have better security implementations too, such as Signal).
But security is always some sort of tradeoff, and with WhatsApp, its reliability and mainstream popularity is why many members of the general public may have picked it up in the first place.
“Activists and journalists communicate a lot with ordinary people, and need to be certain that their messages are communicated as reliably as possible, using the same system as their recipient will use–hence the advantage of WhatsApp with its huge user base,” the letter adds. In some contexts, someone switching to Signal may also explicitly mark them as an activist, the letter continues.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.