‘User can’t rely on end-to-end encryption in WhatsApp’ – update

Spread the love

The end-to-end encryption implemented in WhatsApp is incomplete and not to be trusted, concludes the German Heise Security after an analysis of the popular chat client. For example, iPhones do not support e2e encryption and the encryption process is insufficiently transparent.

WhatsApp has activated end-to-end encryption by default in the Android versions of its chat client since November last year, but that does not in any way guarantee the user that his messages will be sent encrypted, according to Heise Security. Using tools such as Wireshark and Yowsup, they looked at the message traffic that WhatsApp generates when sending and receiving messages.

Testing using a classic man-in-the-middle setup revealed that messages between two Android clients were actually encrypted end-to-end using what’s known as the TextSecure protocol. However, when a message was sent to an iOS client, TextSecure was not applied. That’s because the WhatsApp app for iPhones doesn’t support this form of encryption. It was therefore fairly easy to intercept and decrypt the test message in the meantime.

To basicly encrypt messages, WhatsApp has been using RC4 encryption for some time when end-to-end encryption between clients is not possible. This algorithm has long been seen as insufficiently secure, but an attacker still has to make an effort to decrypt a message. As a result, RC4 offers some security against large-scale decryption of data, for example by tapping the backbone. Another weakness is that for each message the key is generated based on a user password. Because, according to Heise, WhatsApp has never provided insight into how its servers deal with this less strong encryption, this also remains a vulnerable point.

According to Heise, there are even more problems with the current implementation of e2e encryption in WhatsApp. For example, it is unclear whether this form of encryption is always used if it is technically possible. For example, there is the possibility that encryption will be disabled in certain cases, for example at the request of intelligence services. In any case, there is a mechanism to disable end-to-end encryption, such as when a message is sent to an iPhone. Furthermore, due to the proprietary code of the WhatsApp client, it is not certain whether the used key cannot still be obtained by a third party. Finally, the testers point out that the WhatsApp client does not inform the user whether e2e encryption is used.

The creator of the e2e protocol, Open Whisper Systems, has responded to Heise’s article on Reddit. They state that the implementation of end-to-end encryption for WhatsApp is still being worked on and that it will take place step by step.

Update, 11:00: Response from Open Whisper Systems has been added.

You might also like
Exit mobile version