News

‘User can’t rely on end-to-end encryption in WhatsApp’ – update

By admin
Spread the love

The end-to-end encryption implemented in WhatsApp is incomplete and not to be trusted, concludes the German Heise Security after an analysis of the popular chat client. For example, iPhones do not support e2e encryption and the encryption process is insufficiently transparent.

WhatsApp has activated end-to-end encryption by default in the Android versions of its chat client since November last year, but that does not in any way guarantee the user that his messages will be sent encrypted, according to Heise Security. Using tools such as Wireshark and Yowsup, they looked at the message traffic that WhatsApp generates when sending and receiving messages.

Testing using a classic man-in-the-middle setup revealed that messages between two Android clients were actually encrypted end-to-end using what’s known as the TextSecure protocol. However, when a message was sent to an iOS client, TextSecure was not applied. That’s because the WhatsApp app for iPhones doesn’t support this form of encryption. It was therefore fairly easy to intercept and decrypt the test message in the meantime.

To basicly encrypt messages, WhatsApp has been using RC4 encryption for some time when end-to-end encryption between clients is not possible. This algorithm has long been seen as insufficiently secure, but an attacker still has to make an effort to decrypt a message. As a result, RC4 offers some security against large-scale decryption of data, for example by tapping the backbone. Another weakness is that for each message the key is generated based on a user password. Because, according to Heise, WhatsApp has never provided insight into how its servers deal with this less strong encryption, this also remains a vulnerable point.

According to Heise, there are even more problems with the current implementation of e2e encryption in WhatsApp. For example, it is unclear whether this form of encryption is always used if it is technically possible. For example, there is the possibility that encryption will be disabled in certain cases, for example at the request of intelligence services. In any case, there is a mechanism to disable end-to-end encryption, such as when a message is sent to an iPhone. Furthermore, due to the proprietary code of the WhatsApp client, it is not certain whether the used key cannot still be obtained by a third party. Finally, the testers point out that the WhatsApp client does not inform the user whether e2e encryption is used.

The creator of the e2e protocol, Open Whisper Systems, has responded to Heise’s article on Reddit. They state that the implementation of end-to-end encryption for WhatsApp is still being worked on and that it will take place step by step.

Update, 11:00: Response from Open Whisper Systems has been added.

You might also like
News

Google is serious about ending passwords: ‘passkeys’ are becoming the…

News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones