When customers use the messaging app this week, they will receive a notification in the chat box informing them that all their interactions would now be secured with encryption.
End-to-end is a system of communication where only the people communicating can read the messages. By definition, no eavesdropper can access the cryptographic keys needed to decrypt the conversation, including telecom providers, Internet providers and the company that runs the messaging service, making surveillance and tampering impossible.
However, Lebanese hacker and blogger Jed Ismael – who famously hacked a Lebanese bank live on TV – has already seen a flaw in WhatsApp’s claim that it has all its users’ content end-to-end encrypted.
WhatsApp’s messages can’t be intercepted because they’re encrypted or ‘locked’ using a shared key between the sender and receiver, which the messaging service allows users to verify through an authentication process.
After being encrypted using a public key by the sender, data is transferred as ciphertext, or a series of random unreadable characters, until the receiver is able to decrypt and read it on the other side using a private key. Only those with this private key are able to view the message, and WhatsApp claims this is kept secret as it doesn’t store these keys on its servers.
But, as Ismael argues in his blog post:
‘Despite the current commercial propaganda, your public and private key are being generated using WhatsApp’s algorithm. Which means that Whatsapp is still in control of the security of your messages, they can get your private keys, moreover they can provide backdoors for governments and affiliates to spy on you.’
He warns users not to take at face value the claims of messaging companies over the privacy of their communications. In 2013, information leaked by Edward Snowden showed that Skype opened a back door which allowed Microsoft to hand over their users’ messages to the NSA despite the fact that those messages were officially end-to-end encrypted.
With WhatsApp’s system, it’s still possible for hackers to impersonate a message recipient by substituting their public key for the recipient’s to read messages.
‘After reading the message, the hackers can once again encrypt this data using the original reception’s public key, to send the messages and avoid detectio,’ says Ismael.
In any case, Ismael argues that even the most perfectly encrypted platform’s communications are only as secure as the user’s devices, and with the rise of new malware strains on an almost daily basis, nobody is entirely safe.
‘Although many protocols and additional measurements can be used to make the hackers job harder, end-to-end encryption is never guaranteed to be full proof [sic].’
‘Do not take companies promises to keep your data safe seriously, even if Whatsapp means well, this article highlights details on WhatsApp end-to-end encryption that everyone else is afraid to tell you,’ he writes.
‘I’ve hacked banks and companies that claimed high security in the past, just to prove a similar point.’
Information Age has reached out to WhatsApp for a response.