back to article Oh, for F...acebook: WhatsApp, critics spar over alleged 'backdoor'

WhatsApp’s end-to-end encryption can be potentially exploited by determined snoops to intercept and read encrypted messages, it was claimed today. Essentially, if an attacker can reroute a redelivered encrypted message, it is possible to decrypt the text. Facebook-owned WhatsApp stresses this is not a serious flaw nor a …

  1. Anonymous Coward
    Anonymous Coward

    "doubly damming".

    That's rather damning of the person who wrote down this fine chap's comments.

    1. Anonymous Coward
      Anonymous Coward

      Perhaps this is a reference to the Muscles from Brussels. His movies always showed the same kick twice from different angles...thus giving the impression of being "double dammed".

  2. Ogi

    Facebook?

    So, a company that makes money spying on you, has been found to have a backdoor in one of its free apps to spy on you?

    Colour me surprised! The only way you can fight this is by not using the service, and trying to discourage others from using it.

    I left whatsapp the moment the Facebook purchase was mentioned. I also never liked the fact they could "restore my history" when I wiped and reinstalled my phone. That always told me than an entire copy of everything I have ever written is sitting somewhere on their servers.

    However I don't seem to be able to delete my account. People who still use whatsapp mention my profile is still there and active, even though messages never get delivered. Not sure if you just have to wait a long while before they delete you, or, like facebook itself, once you check in, you can never check out (so you appear to be a "user" of the service in their market reports, even if you haven't logged in for years).

    1. Anonymous Coward
      Anonymous Coward

      Re: Facebook?

      So, a company that makes money spying on you, has been found to have a backdoor in one of its free apps to spy on you?

      Colour me surprised! The only way you can fight this is by not using the service, and trying to discourage others from using it.

      Not only that, even before it sold out to Facebook it was already collecting address books from people.

      For those who don't know what that does, read up on Gordon Welchman's work during WW II. In some ways his work was even more important than Alan Turing's -whose work he also improved- as he is pretty much the father of meta-data analysis. Unfortunately, because he was not that bright when it came to clearing books about secret stuff before publication (on account of the fact that bureaucracy and logic will never, ever meet) he lost his clearance in later life and sank into obscurity.

      Motivation matters when you evaluate software. WhatsApp never was about security or protecting the user.

      1. KarateMonkey

        Re: Facebook?

        "For those who don't know what that does, read up on Gordon Welchman's work during WW II"

        Indeed Welchman's work was of massive importance - much it remains the basis for modern SIGINT, which is highly highly classified stuff.

        For that reason the US Govt came down on him like a ton of bricks when he eventually decided it was long overdue time to publish the "Hut 6 Story" decades after the war - at which time he was working for an American defence firm and had elevated security clearance in the US.

        As a result, rather than a hero he should have been, he sadly died an obscure and broken man.

        1. Wzrd1 Silver badge

          Re: Facebook?

          "As a result, rather than a hero he should have been, he sadly died an obscure and broken man."

          Which is the eventual end of anyone who works with highly, highly classified information.

          From a chap who knows far too much about such things, although I'm far from broken. Merely folded, spindled and mutilated.

    2. 45RPM Silver badge

      Re: Facebook?

      The problem is that most people don’t really understand security. They understand the need to lock their door - but the need to keep their data safe is either a mystery or unimportant to them. So they sign up for Facebook in droves, and use mobile phones without securing* them (i.e. use with the default settings, and with all the manufacturer installed crapware in place).

      You can shout about how stupid this state of affairs is until you’re blue in the face, but it won’t make one iota of difference. And, ultimately, (and unless you’re as misanthropic as me) you’ll probably want to stay in touch with them - so you’ll shrug your shoulders and join Facebook too (albeit that you’ll probably take a few sensible precautions, otherwise known as lying about some of your personal data).

      I take the hard line - I won’t use this crap, if you want my personal data then you can damn well pay me for it (assuming that I want to sell) - and if you want to contact me then use email.

      *insofar as you can ever secure any device - and especially a device with a baseband chip in it. But thats an entirely different kettleful of scary.

      1. Wzrd1 Silver badge

        Re: Facebook?

        "and if you want to contact me then use email."

        Well, at least you're falling back to a secure messaging technology.

        Well, as secure as a shout on a bloody crowded street.

        So, that personal data that you'd sell? I'll give you a half-pence for it.

    3. IsJustabloke
      Stop

      Re: Facebook?

      "like facebook itself, once you check in, you can never check out (so you appear to be a "user" of the service in their market reports, even if you haven't logged in for years"

      This old bollocks.... if you delete your account from Facebook then it's gone. You get 7 days to change your mind during which it's simply hidden but after that... it's gone. It no longer exists as a profile.

      1. Woodnag

        I suspect not

        More likely that when you delete/close/end your account with FB, your history and activity remain their property for their continued correlations for as long as there is value to it. Which is forever...

      2. VinceH

        Re: Facebook?

        "This old bollocks.... if you delete your account from Facebook then it's gone."

        It's not quite as gone as you might believe. These are the instructions you have to follow to 'delete' your account. (or at least, that's what the instructions were when I did just that, nearly three years ago).

        In April 2015, I decided to test just how deleted it was, and went through the steps of setting up a 'new' account - but used the same email address. This was the message I saw.

        How could I possibly be able to "regain access" to my old account if "when you delete your account from Facebook then it's gone" ?

        1. sabroni Silver badge

          @VinceH, facebook don't delete

          Hi Vince,

          They could generate that message based purely on your email address. Unless you follow it through and actually re-open your account how do you know they had any more information than that? I know that keeping your email address isn't totally deleting all your information, but if that's all they've got it's not the problem that it would be if they still had everything.

          Fancy taking one for the team and actually setting your account up again, just to see exactly what they've still got? (I've never been on facebook, or I would give it a go.)

          Sabroni

      3. Anonymous Coward
        Anonymous Coward

        Re: Facebook?

        This old bollocks.... if you delete your account from Facebook then it's gone. You get 7 days to change your mind during which it's simply hidden but after that... it's gone. It no longer exists as a profile.

        OK, so you actually believe what people tell you, even when there is a clear conflict of interest in play? I have a bridge for sale..

        1. Wzrd1 Silver badge

          Re: Facebook?

          "OK, so you actually believe what people tell you, even when there is a clear conflict of interest in play? I have a bridge for sale.."

          Do enjoy that bridge. No date/time stamps, heaven knows when each message box was generated.

          But, it's comforting to know that you trust random strangers on the intertubes. Might you be tempted into considering an all expense paid vacation, where you could enjoy your generic Viagra, while toasting your success in that Nigerian investment?

          1. anonymous boring coward Silver badge

            Re: Facebook?

            "while toasting your success in that Nigerian investment?"

            You shouldn't make fun of this!

            My Nigerian fund manager tells me I'm up 225% on my only two year long investment!

            Nod bad!

    4. Anonymous Coward
      Anonymous Coward

      Re: Facebook?

      "I left whatsapp the moment the Facebook purchase was mentioned"

      Yep, me too.

      Fortunately at that time I bailed it was still possible to entirely delete your WhatsApp account ... something I didn't trust to still be possible post-aquisition by their new overlords.

      A quick g££gle indicates that this may still be possible:

      To delete your WhatsApp account

      * Ensure you have the latest version of WhatsApp. ...

      * Open WhatsApp and go to WhatsApp Settings > Account > Delete My Account.

      * Enter your phone number in the full international format.

      * If you are certain you want to delete your WhatsApp account, tap Delete My Account.

      If you've done that and can still see your account details online, thats pretty much what I feared.

      1. Ogi

        Re: Facebook?

        > If you've done that and can still see your account details online, thats pretty much what I feared.

        I think it depends on when you found out about the acquisition. I wasn't paying much attention, and only when it hit more "mainstream" news did I find out facebook was taking over whatsapp. Chances are at that point facebook may have already made it a point of the merger contract to not actually delete profiles.

        If you found out earlier, than perhaps you stood a chance to extricate yourself from it. You can't be sure, even if someone tries to view/search for you via whatspp using your number (as it might just be "hidden").

        Sometimes it feels like you have to be constantly on your toes and mobile technologically to stay out of the grasp of these companies.

        As others have noted, most people don't realise/care so much, so unless you want to be that "one guy" nobody can get in touch with except through a dedicated app nobody else uses (and keeps changing), most people eventually give in.

        1. Wzrd1 Silver badge

          Re: Facebook?

          "If you found out earlier, than perhaps you stood a chance to extricate yourself from it."

          Because, backup technology was introduced yesterfuckingday, right?

    5. evilhippo

      Re: Facebook?

      "So, a company that makes money spying on you, has been found to have a backdoor in one of its free apps to spy on you?"

      Except it hasn't, it was just another Guardian "fake news" story. Did you actually read the whole article?

  3. wolfetone Silver badge
    Black Helicopters

    "vulnerability"

    Yeah, right.

  4. thomn8r

    If you think this was an accident, I have a bridge to sell you...

  5. Anonymous South African Coward Bronze badge

    SWITCH OVER TO TELEGRAM STOP DITCH WHATSAPP STOP DITCH FACEBOOK STOP

    1. Anonymous Coward
      Anonymous Coward

      I will switch to nothing but software of known origin of which I have met the authors and have had an independent security evaluation done. In my line of work, you trust nothing until at least two independent evaluations confirm that it's kosher, and the authors and the company behind them are not exposed to leverage to "add features" under duress.

      As for Facebook, they proved me wrong. When they started I thought that only Google could grab so much data unchallenged, and I must give them credit for coming up with a model that allows the victims to believe they're actually doing them a favour. Worse, getting companies to only offer support through there so customers have no choice but to sign up was an extra stroke of genius I wasn't expecting.

      So yes, it CAN get worse.

      1. Anonymous Coward
        Anonymous Coward

        NO security evaluation can truly be independent because it costs money, money talks, and money and the human condition create inevitable bias. Plus ANYONE can LIE.

      2. Wzrd1 Silver badge

        "As for Facebook, they proved me wrong. When they started I thought that only Google could grab so much data unchallenged, and I must give them credit for coming up with a model that allows the victims to believe they're actually doing them a favour."

        Ah, admitting that one is an idiot is the first step toward moving away from idiocy.

        Oh, wait. Idiocy is a permanent condition.

        Seriously, from day one, their user agreement that one should read said that all data was theirs, not yours. If that doesn't give you a hint, I can get you an audience with Her Majesty, for a small fee. Just pop me off your credit card number, expiration date and CV code.

  6. Andy Taylor

    This doesn't seem to be as damning as it might appear

    There's plenty of well respected people taking a less sensationalist view on this including Frederic Jacobs, one of the developers of WhisperNet. Check his posts on Twitter. @FredericJacobs

    As the Reg article says , just turn on Security notifications (Settings>Account>Security).

    1. Anonymous Coward
      Anonymous Coward

      Re: This doesn't seem to be as damning as it might appear

      So you have to know to turn on a non-default option and look for two mysterious check marks to appear. Simple enough for a typical Reg reader, but not the average Joe in the street.

      Stuff should default to being secure. If you want to trade security and possibly open up a backdoor the Feds could use to decrease the chances of an undeliverable message, THAT should be done via a non-default option!

      I agree 100% with the view this was deliberately done to enable backdoor access for governments while maintaining plausible deniability for Facebook.

      Somehow Apple seems to have reliable communication using iMessage without leaving such a backdoor open in their protocol. So what Facebook claims is necessary to avoid "millions of lost messages" is clearly not.

    2. David Pearce

      Re: This doesn't seem to be as damning as it might appear

      When Whatsapp first started encrypting, I got notifications about every new contact thread.

      That setting default to OFF mus have sneaked in on an update and needs to be rechecked after every future update

    3. Anonymous Coward
      Anonymous Coward

      Re: This doesn't seem to be as damning as it might appear

      There's plenty of well respected people taking a less sensationalist view on this including Frederic Jacobs, one of the developers of WhisperNet.

      He might be right, but there is, of course, the niggly fact that they're suppliers to WhatsApp now and may thus be a tad biased..

    4. Snowy Silver badge
      WTF?

      Re: This doesn't seem to be as damning as it might appear

      Went to do this, dislike how they do not label the on/off switch. Is the button to the left or right off?

  7. russell 6

    Have you tried Threema for end to end encryption?

    They are a Swiss outfit and take privacy very seriously. Another commentard here on El Reg who I have conctact with, knows the team personally. Personally I would never send anything I need to be secure on WhatsApp, even before this story broke. My original introduction to Threema was through a friend at HP. www.threema.ch

    1. Doctor Syntax Silver badge

      Re: Have you tried Threema for end to end encryption?

      "They are a Swiss outfit and take privacy very seriously."

      OTOH http://www.silicon.co.uk/security/swiss-us-privacy-shield-eu-202995?PageSpeed=noscript

      1. Anonymous Coward
        Anonymous Coward

        Re: Have you tried Threema for end to end encryption?

        OTOH http://www.silicon.co.uk/security/swiss-us-privacy-shield-eu-202995

        With respect, you're taking this a bit out of context. The reason privacy is better addressed in Switzerland is because they tend to be very strict about giving permission to allow law enforcement to investigate. The number of warrants served on email providers over the last decade (yes, not year, decade) is in the low double digits, and the investigative process is designed to continue to protect the right of any individual under investigation until the very last second (and breaking that confidentiality is a straightforward you-go-to-jail event, no excuses) - basically, they do law enforcement investigations they way they SHOULD be done.

        In addition, to get such an investigation started requires enough data to warrant a reasonable suspicion that a crime has been committed that ranks as such under Swiss law, not because it's a crime in another country - they will tell you politely to have a nice day and close the door.

        This is why only US journalists were present when they arrested FIFA people at their hotel and not Swiss ones. The US leaked this (which shows you just what sort of protection you enjoy under US law, as in none whatsoever), but the Swiss followed the rules to the letter and kept their mouth shut as it should.

        Switzerland has its problems too, but in areas like privacy it tends to demonstrate the benefits of a direct democracy (AFAIK they are sadly the last remaining one - the US apparently claims to be one but I guess we can taken as proven that that is just a very cynical marketing statement). They have to vote directly for law changes instead of watch helplessly as a club of idiots pretty much help themselves until the next election. It also made privacy a direct part of Federal Constitutional Law in 1999, and the relative newness of this also ensured the laws are up to date and take into account the computer and Internet world.

        (sorry for the detail, I do proper online privacy for a living :) )

        1. Zorg
          Facepalm

          Re: Have you tried Threema for end to end encryption?

          <i>US apparently claims to be one but I guess we can taken as proven that that is just a very cynical marketing statement)</i>

          The US isn't a democracy and never has been. It's a republic. A federal republic to be exact.

          https://en.wikipedia.org/wiki/Republic

          With the United States Declaration of Independence the leaders of the revolt firmly rejected the monarchy and embraced republicanism...

          <b>Apparently, Switzerland isn't a Democracy either.</b>

          https://en.wikipedia.org/wiki/Switzerland

          Switzerland (/ˈswɪtsərlənd/), officially the Swiss Confederation, is a federal republic in Europe. It consists of 26 cantons, and the city of Bern is the seat of the federal authorities.

          Oooops.

  8. Barry Rueger

    Real user case

    My company is one of fifty that occasionally needs to reach others in the field in an emergency situation. For years we relied on a group SMS list, which worked great because everyone had a cel phone.

    Then Google, in their wisdom, decided that sending a group text was a Bad Thing, and coded in a hard limit to the number of recipients you could send to on an Android phone. An emergency message to fifty people now became five messages to five small groups.

    This year everyone save a lone BlackBerry user moved over to WhatsApp, which as far as I can tell does exactly what text messaging used to, except with Facebook spying on us instead of Google.

    Way to shoot yourselves in the foot Google.

  9. Doctor Syntax Silver badge

    "an explanation that has failed to mollify critics."

    It's not surprising when you preface your explanation with a paragraph of self-serving dribble.

  10. Dr Scrum Master

    Spy

    I've spied on real people's WhatsApp messages and guess what? They're boring nonsense.

    Or maybe that's just the people whose shoulders I look over...

    1. Anonymous Coward
      Anonymous Coward

      Re: Spy

      My messages are certainly boring. The last 3 I sent are .... "Are the trains ok?", "See you tomorrow" and "Just landed. Do we need milk?"

      The important thing with security is to use a level commensurate with the value of the asset you are protecting. For me at least, ROT13 would be an overkill. Perhaps others here are exchanging messages that are a matter of life and death and need a little more. Alternatively, perhaps my messages are significant and I just hide behind a veneer of mundane. Only the recipient truly knows what "Are the trains ok?" actually means.

      1. chas49

        Re: Spy

        You've blown your cover. "Are the trains OK?" is obviously code as the answer is always "No".

    2. Anonymous Coward
      Anonymous Coward

      Re: Spy

      I've spied on real people's WhatsApp messages and guess what? They're boring nonsense.

      Or maybe that's just the people whose shoulders I look over...

      The point is that privacy is a DEFAULT - it's an inalienable Human Right. You do not have to defend why you want privacy, ever, those who want you to give it up must explain why they want that (or you can ask THEM what they have to hide). It follows the principle of innocent until guilty - only in France the opposite applies.

      1. Dr Scrum Master

        Re: Spy

        The point is that privacy is a DEFAULT - it's an inalienable Human Right. You do not have to defend why you want privacy, ever, those who want you to give it up must explain why they want that (or you can ask THEM what they have to hide). It follows the principle of innocent until guilty - only in France the opposite applies.

        Except that privacy is not the default in some societies - not just tribal societies, but a particular religious group in Norway who (amongst other things) don't have curtains, which goes a long way to explaining why tax returns are public information in Norway.

        1. anonymous boring coward Silver badge

          Re: Spy

          "which goes a long way to explaining why tax returns are public information in Norway"

          It's the same in Sweden. I looked up someone, using a well known Swedish website (hitta.nu I think it was, which means "find.now"), who had just moved to a different apartment, and found the person's photo, age, exact address, photos of the building and front door, information about average salary of people living in the area, and average age of people living in the area, what neighbours the person now had (everyone living in the building), and the person's birthdate (year, month, day).

          I probably forgot some details. I could, of course, have used the now gathered information to find a lot more information using other resources.

          The Swede has been conditioned over hundreds of years that this is quite normal. Everyone has their ID number which is just their complete birth date, and 4 digits tucked on to the end.

  11. Anonymous Coward
    Anonymous Coward

    If I push it a bit, I'm prepared to believe that Facebook may not have done this deliberately at a corporate level.

    I would, however, be amazed if various governments don't have assets inside a company that big that has so much data they want. These could be students recruited at university who then went on to apply for job at the company and believe they're doing the right thing. They could also be staff that have been turned using whatever leverage whichever government had against them. I'm thinking along the lines of "We've caught (you/your family member) doing something illegal (like hacking / not paying their taxes / hurting someone in a drink driving incident / drugs / being gay in a country where it's illegal). If you help us, we can make it go away. We'd hate for it to end in a 20 year jail sentence. Bad things can happen to people in jail."

    In most companies, the management are business people and probably don't understand the nuances of cryptosecurity. When a respected member of the development team puts their hands up in a meeting and says "I've got this really great idea that will make the user experience better." they could well go for it, not realizing the idea originated from outside their company and has a downside.

    1. Charles 9

      "We've caught (you/your family member) doing something illegal (like hacking / not paying their taxes / hurting someone in a drink driving incident / drugs / being gay in a country where it's illegal). If you help us, we can make it go away. We'd hate for it to end in a 20 year jail sentence. Bad things can happen to people in jail."

      And if the reply is, "I never liked my family anyway!" Because it turns out you're talking to a Black Sheep?

  12. enerider
    Go

    Let me just drop this here

    https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/

    For the record: these are the people who made the Signal Protocol - the messaging protocol used in Whatsapp and others.

    Given Moxie has some pretty decent standing when making AND breaking things - I'd be inclined to read his opinion

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like