Hacker finds breach in WhatsApp’s encryption system

A security expert has found a breach in WhatsApp’s supposed ‘end-to-end’ encryption system. On earlier 2016, the Facebook-owned company proudly announced that messages would feature end-to-end encryption, thus giving users the tranquility that their private conversations would remain untouched.

Jonathan Zdziarski, a digital forensic specialist and digital security expert, published an article on Thursday with bold declarations. He stated that WhatsApp does not really delete users’ messages. Zdziarski started several conversations on his WhatsApp account, using an iPhone. After a bit of chit-chat, he deleted, cleared and archived some of the conversations. Finally, he clicked the “Clear All Chats” feature.

Hacker finds breach in WhatsApp’s encryption system

The “deleted records” were not actually deleted since the messages still appeared in SQLite, a relational database management system. According to Zdziarski, the chat’s database gets copied every time an iPhone users does a backup, saving it in a desktop backup and iCloud (Zdziarski states that this is “irrelevant to whether or not you use WhatsApp’s built-in iCloud sync”).

Which are the risks?

Zdziarski stated that the “leftover” evidence in SQLite poses some risks. For example, if somebody has physical access to a smartphone, he or she could hack it and create a backup of that information. In the same way, if a hacker has physical access to a computer, he or she could enter an “unencrypted backup” and access messages.

Law enforcement could obtain clear records of conversations by giving Apple a court order. Zdziarski has been very clear in stating that he doesn’t believe WhatsApp is keeping information on purpose. He even offers some advice in the article about how the company could make the service better and safer.

Hacker finds breach in WhatsApp’s encryption system

Alternatives

For Zdziarski, the only way to truly delete WhatsApp messages is to remove the app entirely. However, he offered some tips to “minimize” risks. For example, using iTunes to set a very complex backup password could help. Using Configurator to lock the smartphone is also a good idea since it makes harder for someone else to steal the phone’s passwords.

Finally, users would have to disable iCloud backup. If the user still feels uneasy, there are still a few safer alternatives. Telegram, an app available for Android and iOS, promises to have end-to-end encryption. The app is very popular in NGOs for even having a “self-destruct” modality for messages.

Telegram’s founder, Pavel Durov, founded the social networking site VK. He had an argument with Russian authorities and left his country in a self-imposed exile. VK is now owned by Mail.Ru Group, which has the monopoly of social networking market in Russia and is a Putin ally.

After this, he decided to create the instant messaging service with the aim of giving Russians a secure messaging app that would be unbreakable by Russian intelligence services. The BlackBerry Messenger service is also secure since the PIN-to-PIN service uses “Triple Data Encryption Standard”.

Recommended

Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its "Messenger" app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent. The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available ...

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp’s end-to-end encryption might still be a contentious issue, but on Wednesday the Supreme Court refused to allow a PIL seeking a ban on the popular app and similar messenger services. The PIL, filed by Gurugram-based RTI activist Sudhir Yadav, said these apps have complete encryption, which poses a threat to the country’s security. A ...

Despite end-to-end encryption, your WhatsApp and Telegram chats can be spied on

Even though WhatsApp promises end-to-end encryption on all of its chats, and Telegram offers end-to-end encryption on secret chats, the truth is that messages on these platforms can still be hacked. The reason is because the messaging apps still rely on phone networks that use Signalling System No. 7, better known as SS7. You might ...

暂无评论

发表评论

您的电子邮件地址不会被公开,必填项已用*标注。

This site uses Akismet to reduce spam. Learn how your comment data is processed.