WhatsApp Backdoor allows Hackers to Intercept and Read Encrypted Messages



After introducing "end-to-end encryption by default" last year, WhatsApp has become the world's largest secure messaging platform with over a billion users worldwide.

But if you think your conversations are completely secure in a way that no one, not even Facebook, the company that owned WhatsApp, can intercept your messages then you are highly mistaken, just like most of us and it's not a new concept.

Here's the kick: End-to-end encrypted messaging service, such as WhatsApp and Telegram, contain a backdoor that can be used, if necessary, by the company and of course hackers, or the intelligence agencies to intercept and read your end-to-end encrypted messages, and that’s all without breaking the encryption.



No doubt most of the encrypted messaging services generate and store private encryption key offline on your device and only broadcast the public key to other users through the company's server.

Like, In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping on your encrypted private communication.

Tobias Boelter, security researcher from the University of California, has reported that WhatsApp's end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background. YES, that's possible.

Let's Understand the Backdoor With A Simple Scenario:




Now every message sent from user A will get encrypted using the private key of A and the public key of B, which can be decrypted by user B only, using the public key of A and the private key of B.

Suppose: User B is offline, and user A has sent some messages to user B. But meanwhile, for some reason, the user B had to change the device and reconfigured same Whatsapp account on it. A fresh installation will force user B to re-generate new public and private keys pair for the same account.

And, later, whenever user B will come online again, the device will receive rest of the undelivered messages sent by A.



That's because, when user B comes online again, Whatsapp automatically exchange new keys b/w users without informing them and to successfully deliver same messages, WhatsApp of A will re-encrypt them using the newly received public key of B.

This is where the backdoor relies in the whole mechanism!

If a hacker (suppose user C) intentionally replace the public key of B with its own, all undelivered messages will get automatically re-encrypted and delivered to C, which can only be decrypted by private key of user C (hacker).

And It's a well-known fact that usability and security are inversely proportional to each other, and choosing usability over security doesn't end well.




Facebook Haven't Fixed It Since June, 2016




However, the researcher was told in reply that Facebook was already aware of the issue and justified it as an "expected behavior."
"WhatsApp says that it implemented the backdoor to aid usability. If the backdoor is not in place, messages sent to an offline user, who then changes their smartphone or has to re-install WhatsApp and in doing so generates new security keys for themselves, would remain undelivered once the user comes back online." The Guardian says.

"In many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit." a WhatsApp spokesperson told the Guardian.


How to Protect Yourself from Spying?



"Security codes are just visible versions of the special key shared between you - and don't worry, it's not the actual key itself, that's always kept secret."


Secure Alternative to Whatsapp




There are several alternatives, such as "Signal Private Messenger", itself, developed by Open Whisper Systems and it's most recommended secure message app.

Comments

Popular posts from this blog

How To Hack WIFI WPS pin With Kali Linux

World’s Fastest Camera Takes 5 Trillion Photos Per Second, Can Pause Moving Light

Reverse-Engineering the Peugeot 207’s CAN bus