Why WhatsApp is not as secure as you thought it was, even before The Guardian’s most recent revelations about a ‘back door’
There’s been a lot of discussion in the media recently about the privacy of calls and messages sent via mobile phones, with some commentators advocating apps like WhatsApp as the answer. While it is true that messages, and now calls, made using WhatsApp are encrypted and therefore should be secure, in fact, there are still gaping holes.
Not least is the so called ‘back door’ revealed by The Guardian in its article ‘ Whatsapp back door allows snooping on encrypted messages’ which explains how ‘WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages’ it goes on to state that ‘The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.’ And ‘can be used by government agencies to snoop on users who believe their messages to be secure.’
This is another example of just how important it is to keep control of your own data and using a free app over which you have no control, simply isn’t good security practice. As Tim Cook summarised the situation very well when he said: ‘A few years ago, users of Internet services began to realise that when an online service is free, you’re not the customer. You’re the product!’
Even before this latest revelation, there are other security holes in Whatsapp that anyone that wants to keep their conversations private should be aware of.
Susceptible to the SS7 hack
First, the app itself. Though its media encryption uses the respected Signal protocol, WhatsApp has been shown to be susceptible (like similar applications) to attacks, for example using flaws in SS7 that allow an attacker to mimic a victim’s device. SS7 stands for Signalling System No 7 (also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK), and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks (including roaming on foreign networks), and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation. However, SS7 was designed nearly 40 years ago, long before phone hacking was considered a serious threat.
Whatsapp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of the many vulnerabilities in that system (this particular issue was discovered in 2008 and made public in 2014). Hackers can then take on a victim’s Whatsapp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.
Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. WhatsApp may be secure once provisioned, but if the verification code is intercepted during set-up the app will be compromised. This vulnerability is equally true for Telegram, Viber and any other apps that use this form of authentication, just as it is for banking and other sensitive web transactions that send codes by (insecure) SMS. For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.
No control over who has your data
Second, the company. WhatsApp is now owned by Facebook, who have declared to their shareholders that once the number of users of WhatsApp reach 1 billion they will look to monetise. That means sharing your details with advertisers and who knows who else.
This is seen as such a serious situation by the UK Government that the Information Commissioner’s Office (ICO) has intervened and as a result Facebook has agreed to ‘pause’ its plan to share data with advertisers. However, it continues to share data for what it describes as spam fighting services.
Even when a service claims that it has no access to your encrypted data, it still has access to “metadata”, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a company such as Facebook.
You get what you pay for
WhatsApp may be free, but there is a price to pay. With any free app you don’t really know who has access to your information. And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.
You might also want to avoid a proprietary system where the vendor wants to lock in its users and so has no interest in promoting interoperability with competitor systems; fine for a social media app but not helpful if you want to link together a variety of organisations, where a standards-based solution would be much more logical.
If you would prefer that your sensitive conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it. When provisioning new security services be sure to follow strict security best practice. SMS for activation or authentication simply isn’t secure. Better options include multi-part activation details that can be distributed via separate channels, whether handed over personally, or sent via encrypted email, or best of all, managed from a central distribution point, which is within your organisation’s control, or managed on your behalf by a Government-certified, trusted supplier.
As with everything in life, you get what you pay for. Free apps have their place in leisure time for casual use, but when it comes to business, your intellectual property, state secrets, or commercially valuable information, you really can’t put your trust in something that you don’t control just because it is free.
About Andy Lilly
Andy Lilly is Director and Co-Founder of Armour Communications. He has a proven track record of delivering challenging, leading-edge research and development solutions into global markets, having held leadership positions at multi-national organisations as well as VC-funded start-ups. Andy has been instrumental in delivering military-grade secure communications systems as well as solutions suitable for use in commercial environments for over 25 years.