WhatsApp and Backdoors

A few days ago, The Guardian published a very problematic article about the existance of a backdoor in WhatsApp. However, the backdoor doesn't exist and the problematic nature of the article was more about the lack of understanding it showed, rather than any real substance. Of course, this situation got worse as more and more people read the headlines and piled on to the mess without actually checking facts first. So of course, now there is a widespread idea that WhatsApp has a backdoor, and that this is news. Actually, the backdoor as such doesn't exist - it's a side effect of how all current end-to-end encryption system works, combined with certain decisions Facebook made about how the user interface should display events around this encryption that the article is talking about. None of this is in any way hidden, and any semi-competent security person should see the full implications of this behavior within five minutes of thinking about it.

Things became a bit more interesting when Moxie Marlinspike wrote a blog post clarifying the situation here. Very little that is said in that blog post should come as a surprise. However, there are a few details that I'd like to focus on, since they are illuminating of a real problem with WhatsApp, and why we should be careful here.

Specifically, the UI elements that are interesting for our discussion is first the indication of when someone's encryption key has changed, and second, the display of the so called "security code" you can use to verify that the person you're communicating with is who you think they are. The warning about changing encryption keys can be toggled, and I believe the default is for it to not be shown by default. Moxie makes a compelling argument for making that indication a warning, instead of a blocking notification - since this would reveal to the server whether someone has these warnings turned on.

Basically, what do you need in order to be able to do a MITM attack on a pair of whatsapp users? Well, first you need privileged network access. Since WhatsApp seems to be using certificate pinning that basically means you need to be on WhatsApp networks to do this kind of attack. (Or you could be Apple, since theoretically Apple could insert code to copy or transmit or in other ways mess with the transmissions, when WhatsApp is installed from the AppStore).

Once you have network access, you need to be able to proxy all traffic, and you ideally want to do that without the endusers noticing. In order to do a MITM attack on an end-to-end encrypted protocol you need to replace the conversation between Alice and Bob, with two new conversations between yourself and Alice, and between yourself and Bob, such that Alice and Bob still thinks they are talking to each other. If they have the above notifications turned on, this becomes really risky, since they will notice something weird is happening. So you only want to try this kind of attack if you know that they don't have notifications of key change turned on. And you only want to try it if there's not real chance that the users will verify the security codes. If either of those things happen, you might be discovered.

Moxie claims that WhatsApp very carefully considered how to avoid leaking the information about whether notifications are turned on or not to the server. But the problem here is that we have no way of knowing what the client is actually doing. At the end of the day, if the WhatsApp client has some malicious code in it, it would be impossible for us to verify that. Specifically, the WhatsApp client could have code to:

  • Selectively display the notification depending on what the servers instruct it to do
  • Allow the server to ask for the notification settings
  • Ask the server what security codes to display (instead of showing the real code).

All of these options allow for the server to do arbitrary MITM attacks without the end user having any chance of detecting this.

Since the WhatsApp client is not open source, and the protocol doesn't seem to be available anywhere - and since the client uses certificate pinning (which is good, btw) - we can't even check what the protocol allows for.

So - for sensitive situations we need to focus on free software and publicly documented and verifiable protocols. Without those, we can't really say anything about what something like WhatsApp is doing. Of course, the situation is even worse on mobile phones, since we wouldn't be able to really verify the binaries at all even if they were free software, since we can't build them and compare the binaries ourselves. But for now, Signal is definitely a better choice than WhatsApp if you care about the encryption feature.

(I am happy that WhatsApp rolled out encryption to their users. It's a good baseline improvement. However, WhatsApp encryption does not make any specific individual more secure.)