Thoughts on WhatsApp E2E Encryption AKA Security Is Real Only if It's the Default.



Yesterday Tobias Boelter posted on his blog this article which essentially highlights a message rentransmission vulnerability on WhatsApp which makes it leak sensitive information if the recipient’s key changed, only alerting the user after the message has been sent.
The Guardian has then picked up the info and posted the article “WhatsApp vulnerability allows snooping on encrypted messages“.

In a matter of hours, a shit load of experts (and unfortunately also lot of ppl who are not experts at all) pointed their fingers at The Guardian, arguing that it’s not a backdoor and all other kind of sterile polemics. At some point, Moxie from Open Whisper Systems, the noprofit organization who made Signal, the only really secure messaging app we’re aware of and the library that WhatsApp recently integrated in order to give E2E encrypted messaging to all of their users, published on the blog this: “There is no WhatsApp ‘backdoor’“, which seemed to have put the word END to this conversation.

I do not agree and, since a lot of ego is going on here, I’d like to share my thoughts as well.

First thing first, following the PoC||GTFO sacrosanct principle, let’s take a look at the video that Tobias recently uploaded.

In the video Tobias just swapped the SIM card to the other phone to prove his point, but it’s quite clear that from a state sponsored attacker perspective, physical access to the sim card or the victim’s phone is not needed at all, there are plenty of easier ways for them to do that ( pretty much like Russia did with SS7 & Telegram users ).

Long story short, if WhatsApp technicians manage to replace your recipient E2E encryption key on the server side and impersonate him (or manage to clone his sim on the TELCO side), your sensitive message will be sent anyway, the client will show you just a warning about the key change, but nevertheless, let’s say it again, your sensitive message will be sent anyway … and they’ll be able to read it, period.

On the other hand, Signal prevents this from happening, once it’ll detect the key being changed, it will block the conversation and warn the user about it, it’ll be the user then to decide if trusting the new key or not, regardless, the sensitive contents won’t be rentransmitted without the user allowing it, this is a subtle but very important detail.

But it’s just a matter of settings!

Yes, they do implement the same protocol and no, we don’t have any real evidence that Facebook messed with it, still they created (either intentionally or not) a very serious security vulnerability for their users.

And it’s exactly about intentionality we’re talking about, if it was intentionally implelemented to spy on users it’s a backdoor, otherwise it’s not a backdoor … but we don’t know, we never will and honestly it’s just a stupid and pointless waste of time discussing about it further.

Usability? Really?

But the point is, why implementing e2e encryption in the first place if when keys do not match what expected, the client transmits the message anyway? Usability? The usability of what? Because E2E encryption is not usable that way, the client itself might be, but definitely not the underlying protocol which should guarantee the users privacy on top of everything else.

Moreover, do you really expect the average whatsapp user to understand what that yellow baloon means if you don’t clearly block the conversation and warn him about what happened? Is this usability? COME ON!

I think Moxie just missed the point, which is not they key being changed, but the client retransmitting the message regardless!
I used to respect him for his life-long battle for privacy, but reading his post it’s quite clear how his opinion is biased towards Facebook.

Conclusion

I’m not a cryptographer of a crypto expert of any kind, but I’ve spent quite a few years working on MITM attacks and tools, I’m well aware how easy it is for anyone to exploit the information you leak on a network, and I’m well aware that state sponsored attackers have trillions of other ways to do that more easily and transparently (for the user of course) … we should just stop the drama about it being a backdoor or not and focus on what really matters:

It is definitely a serious security issue for the users privacy and Facebook refused to fix it.

There’s really nothing more than that to say.