Encryption of WhatsApp messages, inaugurated last year by application to protect users' conversations possible spies, It may not be as safe as previously thought. Contrary to what preaches Facebook, it appears that it is possible, sim, intercept messages sent by WhatsApp.
The discovery was made by Tobias Boelter, security researcher and encryption at the University of California, em Berkeley, US us. According to him, Failure to do with how WhatsApp handles Signal Protocol, used in its encryption system.
When a user sends a message to another, the application generates a key that is exchanged between the sender and the receiver and ensures that the conversation is safe. In other words, is like a key that “braid” the message when she comes out of his cell and “destranca” when you reach the cell of your contact.
It turns out, if for some reason, if the receiver goes offline after the message was sent from the sender's phone, WhatsApp generates a new security key. The first version of encryption is discarded and the new key encrypts the message again, for the second time.
To “unlock” the message and “Tranca-la” again with another key, WhatsApp will have access to your conversation and can even, in theory, read your messages, if you want. O problem, second Tobias, is not the protocol used by app, but the way it is used.
The Signal protocol was developed by the Open Whisper Systems and is used in another application in encrypted messages, also called Signal. This app is used and recommended by Edward Snowden, former NSA analyst who revealed to the world the espionage methods of the US government.
O Signal, using the same encryption system, does not suffer from this security flaw. If the recipient is offline while chatting, the app simply warns that the message can not be delivered, forcing the sender to write the message and send it back when the contact comes online.
It is not what happens in WhatsApp. The app can even warn you when your security key is changed, but you must activate this alert in the application settings. Anyway, there is no way to stop him. “If the government of any country ask WhatsApp to expose your message records, it can effectively do this by changing the security keys”, Tobias explained to British newspaper The Guardian.
The researcher also said Facebook, owner of WhatsApp, He was informed of this breach in April last year. second Tobias, however, the company said it was a “expected behavior”, and he has not committed to do anything about. This failure was confirmed by other organizations sought the Guardian, as EBOHR (European Organisation for Human Rights).
in a statement, WhatsApp said he knows this fact and stressed that users can be notified of changes in the encryption protocol. “We know that the most common reason for this to happen [exchanging security keys] It is when a user telephone exchange or reinstalls WhatsApp”, the company said.
“In many parts of the world, people often changing handsets and SIM cards. In these situations, We want to make sure that messages will be delivered and not lost on the way”, also said WhatsApp. O statement, however, not confirm if the company can or can not read messages from users thanks to this key exchange system.
It is not the first time the privacy promised by WhatsApp is kept in check by their own actions. Last year, the app announced it would share user data with Facebook. The company came to be processed by the European Commission due to the change.
No Brasil, the service was blocked more than once in recent years by judges who wanted WhatsApp to release data investigated persons. On all occasions, the company said it was unable to access the conversations of users. If the allegations are true Tobias, it is concluded that WhatsApp could, sim, have delivered to the Brazilian Justice as she asked before being blocked.