Technical / Backdoor, unencrypted cloud backups can affect WhatsApp users

Livemint : May 20, 2019, 12:05 PM

After the recent Spyware attack on WhatsApp, which allowed attackers to spy on targeted users by providing them access to the device's camera and microphone, WhatsApp has been criticised for making tall claims about security and failing to live up to them.

Many cyber security experts believe that the spyware attack, which was carried out through a voice over internet protocol (VOIP) call on WhatsApp, regardless of whether user answers the call or not, doesn't affect the chat and conversations that are encrypted by WhatsApp.

However, Pavel Durov, founder of Telegram, in an official blog post, claims that WhatsApp's encryption is a sham and that it will never be secure.

“Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place. All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoor," he notes.

Durov has alleged that Facebook owned company is secretly working with government agencies in the US and several other countries and have created backdoors so they can spy on their citizens. He points out that unlike Telegram, WhatsApp is not open source and doesn't publish it's codes, so there’s no way for a security researcher to easily check whether there are any backdoors in its code.

“Many application developers obfuscate their application code in order to make it harder for the bad guys to repackage and spread the application with their malicious code," said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence and Security at Avast told Mint.

However, experts opine that backdoor to any encrypted platform is not safe for users. Oded Vanunu, Head of Products Vulnerability Research, Check Point, cautions that a backdoor can open doors to attacks as cybercrime has reached very high level of sophistication. Cybercriminals have the budgets and knowledge to reverse engineer technologies like nations.

However, Chrysaidos adds that unlike finding other vulnerabilities, finding access to backdoors that were specifically planted by the platform's developers are not easy to discover but they are possible.

WhatsApp decline to comment on Durov's allegations, when we reached out to them.

Durov further argues that when WhatsApp introduced end-to-end encryption, it also started pushing users to take backups of their messages in cloud. What users didn't know is that when backed up, messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement agencies.

Avast's Chrysaidos notes that it is true, and it's clearly stated in WhatsApp's backup settings. However, he feels that WhatsApp could easily implement an encrypted external backup, to prevent someone with access to your Google account or internal phone storage from accessing the data.Regarding backed up data being more vulnerable to hackers and snooping by government, Checkpoint's Vanunu says, “backup locations are prone to hack but it’s not only WhatsApp backup that would be at risk but everything you backup on cloud."

Telegram was one of the first messaging services to offer end to end encryption. WhatsApp introduced full encryption in 2016. Telegram was banned in Russia in 2018 after it refused to give Federal Security Service (FSB) access to its decryption keys. A few months later, Telegram was banned by Iranian government for being used for secretly encouraging armed uprisings.

WhatsApp is available in Russia, but reportedly blocked in China, Iran, North Korea and Syria.

Government agencies work over including FBI in US have raised concerns over encryption, claiming it makes it harder for them to track of terrorist activities on such platforms.In 2018, FBI director Christopher Wray told press that inability of law enforcement agencies to access data on electronic devices protected by encryption is an urgent public safety issue.

In January, the Information Technology Ministry of India proposed new intermediary guidelines, which proposes that intermediaries should use automated tools to proactively identify and remove unlawful content. Experts from industry had criticised these pointing out that this wouldn't have been possible without breaking of encryption or building a backdoor in apps that encrypt messages.