8

A few days ago, an old "vulnerability" of WhatsApp re-appeared in the media. The Guardian published this article calling the vulnerability a "backdoor". The article cites these findings of Tobias Boelter, a security researcher at UC Berkley.

The "vulnerability" is that WhatsApp automatically retransmits messages that have not been received by a client after that receiver changes encryption keys. The receiver is not notified of the key change and the sender is only notified if they switch on an option (which is disabled by default) buried deep in the account settings.

After a rather general response from Facebook/WhatsApp ("We do not have a backdoor"), Open Whisper Systems, the maker of the Signal protocol that powers WhatsApps E2E encryption, now responded directly to the article in this blog post. Both are essentially claiming that this is not a vulnerability but a UX issue (whether or not to prominently notify the user of the change of encryption keys). Tobias Boelter again responded in this blog article, saying that it is a vulnerability that would allow an attacker to "wiretap targeted conversations".

My question is: What does a real-life attack look like that would exploit this vulnerability?

I firmly believe that very few people actually dig three levels deep into the WhatsApp settings to enable the security notifications, so let's assume that most people could be attacked without seeing the warning about a change in cryptographic keys. How, then, could a motivated attacker take over Alice's end of a WhatsApp conversation without Bob noticing?

It seems this would require the attacker to temporarily block Alice's access to WhatsApp (putting her offline, leaving Bob's messages undelivered) and then take over her WhatsApp account (how?). As long as the attacker could thereafter impersonate Alice reasonably well, Bob - not being shown a warning about the key change - would then believe he's still communicating with Alice.

KlaasNotFound
  • 183
  • 5

1 Answers1

10

What does a real-life attack look like that would exploit this vulnerability?

Here is a possible scenario:

  • Alice lives in an oppressive government. She communicates with journalist Jonas over WhatsApp with the intent to leak information about a political scandal.

  • Afraid of being revealed, Alice one day panics and destroys her phone without telling Jonas.

  • A day later, Jonas sends her a message "Is it okay if I name Bob as the source?". Alice of course doesn't receive that message because her phone is gone.

  • The government instructs the telecommunication service provider to identify a new phone as having Alice number. They go back online, verify to WhatsApp that they own Alice phone number and announce a new keypair so that they can read any messages that are sent to "Alice" in the future.

  • Jonas' WhatsApp recognizes that Alice seems to be back online with a new key. Because the last message hasn't been transmitted yet, Jonas' WhatsApp will automatically resend that message and encrypt it with the new key. (If Jonas has turned on his security notifications, he will be told that Alice has a new key, but he won't be asked if it's safe to re-encrypt the message for the new key.)
  • Government can now read Jonas' latest message and learns that Bob leaked the information.

Tobias Boelter explains this in a similar way in his blog post:

Imagine you dump your phone into the ocean and only a month later you get a new phone. Then during this one month time period, some friends might've sent you messages. In WhatsApp, your friends phones are being instructed to automatically re-encrypt and retransmit. But they don't know if they are sending the messages indeed to you or the government. Then, and only if your friends specifically asked WhatsApp to do so, they will see a warning that there could've been something shady going on. Signal on the other hand will tell your friends something like "there might've been something shady going on. Do you want to resend your message?".

Currently, there is no setting in WhatsApp that needs a sender to confirm if they want to re-encrypt a message for a changed key if the message has not been delivered yet. However if the message has been delivered, the sender can't be tricked into re-encrypting it.

As I understand it, Facebook is concerned that adding a confirmation dialog for retransmission with changed keys impacts the user experience in a way that drives WhatsApp users away to less secure messengers, having an overall negative impact on people's security. On the other hand, Boelter argues that the added security of such a feature outweighs the minor impact on usability.

Ángel
  • 17,578
  • 3
  • 25
  • 60
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Great answer, thanks! I understand the "oppressive government" scenario. However, I was also wondering whether a criminal 3rd party (not the government with control of the telco provider) could use this vulnerability, specifically the fact that the key change notification is likely disabled for a non-concerned user, to take over a normal account... – KlaasNotFound Jan 16 '17 at 13:06
  • ... Boelter mentions "attacking the GSM network", but I am unsure how involved this vector would be - is this something a technically proficient prankster could do or would it require resources/expertise at agency level? If you can think of such an attack scenario please feel free to post another answer. Otherwise I'll accept this one within a couple of days. Thank you. – KlaasNotFound Jan 16 '17 at 13:09
  • @KlaasNotFound Thanks, I'll add some elaboration on the exploitability beyond government involvement later and let you know. – Arminius Jan 17 '17 at 05:08
  • @KlaasNotFound Sorry, I just realized I never got back on that. To be frank, I can't give any good advice on how easy the attack would be for an ordinary criminal with small resources. If you're still interested you might want to set a bounty or re-ask that specific part in a new question. – Arminius Jul 18 '17 at 16:23