10

My mom has an Android phone that fell in the water for a couple of seconds, around 16:30. She managed to disassemble the phone and turn it off. We both share a group that is end-to-end encrypted (all participants have new WhatsApp versions). The same day, around 21:00, while her phone was dead, I sent this group a message. In the next day, she took the phone to a repair shop and they changed some pieces and the phone was back to life. Once I got my hands on the phone, I noticed it had been factory reset, all apps gone, new Android version, no customisation, no files, no wi-fi password, totally blank. So I proceeded to reinstall WhatsApp for her, put her number in, expecting to see her old groups, but no messages. To my surprise, she received all the messages, including my own, that the group received while the phone was dead, before the factory reset.

I think I know how public-private keys work, and from what I understand the private key that is necessary for her to decrypt the messages sent to the group while the phone was dead was lost once the reset was made, since the messages stored at WhatsApp servers were encrypted with her old public key, with a now unmatched private one. So how could the app have received these messages?

A couple of theories that I have:

  • Her phone wasn't factory reset, or somehow the private key survived. I think this is unlikely since I had to install the app again and the phone had all signs to have been completed wiped out. It's important to notice that I don't know what the guys at the repair shop did to the phone, and she is unable to explain it to me.

  • My phone, upon seeing that her phone was back online, received her new public key and sent her again the message with new encryption. I don't have enabled that setting that warns about your contact's keys change, so I don't know if this could have occurred. For me it looks strange that my phone would promptly trust the new public key. But this theory gains strength since I noticed the messages are in the order from fastest devices to slowest. It's a group family, I have the fastest device, my sister has the middle and my dad has the slowest. The messages are in this order and never interchange.

The messages in question arrived as unread messages, with the timestamp when they arrived, not when they were sent. Because of this I cannot judge if the individual chats also received messages from the dead period. I can only judge from this particular group because I knew it was end-to-end encrypted from the start.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Henrique Jung
  • 307
  • 1
  • 9
  • I'm not familiar with WhatsApp; Could a user's private key be stored on WhatsApp's servers, encrypted with their login password, so you reinstalled WhatsApp, she logged in, downloaded and decrypted the settings including her account's private key, and then could read the group messages? – TessellatingHeckler Jun 16 '16 at 03:03
  • 1
    Did you manage to recover all the messages, or just the older ones (say, before March, 31st)? – A. Darwin Jun 16 '16 at 06:27
  • @A.Darwin just the messages from the dead period, the ones that were never received by the device. – Henrique Jung Jun 17 '16 at 11:56
  • @TessellatingHeckler this would mean that it's not end-to-end encrypted after all. It would be a huge security hole. – Henrique Jung Jun 17 '16 at 11:57
  • 1
    @HenriqueJung It would not mean that. The message would be encrypted to her private key, Whatsapp can store the message, but cannot read it. Her private key is encrypted by her password, Whatsapp can store the private key but not use it. She can download both (with her account username and password), unlock the private key locally on her phone (with her account password ... which she just gave Whatsapp during login ... oh. I think I see the problem now. – TessellatingHeckler Jun 17 '16 at 16:46

1 Answers1

7

The sender will re-encrypt the message with the new credentials bound to the same number and re-send it.

WhatsApp protects from passive interception, but it does not protect against a man-in-the-middle or someone who hijacks the phone network.

Sad, really.

Ref:

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
David Schwartz
  • 4,203
  • 24
  • 21
  • 4
    do you have any PoC to this? Or is it just your assumption? – The Illusive Man Jun 16 '16 at 09:56
  • 1
    @Ayozint The incident described in the question is the PoC, and it's been replicated by several people and the behavior confirmed by WhatsApp. Punch "WhatsApp MITM" into your favorite search engine. – David Schwartz Jun 16 '16 at 15:44
  • Thank you both for the answer. However I couldn't find any direct reference to the issue I described. Is this behaviour documented by WhatsApp? Is it common for the app to trust new public keys and resend messages? My SSHs clients go nuts if they discover that a public key has changed. – Henrique Jung Jun 18 '16 at 04:27
  • 1
    Open Whisper Systems [discussed this behaviour in an article](https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/), which was in reply to an earlier [the Guardian article](https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages). The Open Whisper statement explains some of the reasoning behind this behaviour. – Henrique Jung Jan 14 '17 at 01:07
  • I proposed a small edit to the answer: re-encryption is done by the sender side, who blindly accepts the new key to be owned by the recipient. From Signal blog: `Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate`. So they admit this is not the most secure behaviour in this case – usr-local-ΕΨΗΕΛΩΝ Jul 19 '18 at 18:04