Home Social Media Encryption Bypassed: WhatsApp Engineers Fear Encryption Flaw Exposes User Data

Encryption Bypassed: WhatsApp Engineers Fear Encryption Flaw Exposes User Data

WhatsApp users have suddenly been warned that its security has been seriously compromised

by Vesta Daily
0 comment
New WhatsApp Warning As Encryption Is ‘Bypassed’

WhatsApp users have been abruptly informed that its security has been significantly breached and that a weakness in its encryption may have exposed personal information. Separately, Elon Musk has also publicly criticized WhatsApp’s security and privacy procedures. So, how concerned should those 2 billion people be right now, and is this truly a reason to uninstall WhatsApp and switch to anything else?

In the world of secure communications, perception is crucial. That’s why Signal reacted so strongly to Telegram’s recent attack, and headlines claiming that “WhatsApp Engineers Fear Encryption Flaw Exposes User Data” have many users anxious.

Is that true? Has there truly been a vulnerability in the famed encryption that protects billions of daily communications and calls? In brief, no. This is something else, yet it has troubling implications of its own. In actuality, it’s a problem that’s been lurking behind WhatsApp’s slick surface for quite some time.

There are two different issues at play here. However, they all share metadata—the who contacted who, when, and where of communications. The data is not encrypted. It can be captured and retained by the platform if it chooses, and it can be monitored at the network level by governments or carriers with appropriate access. Consider this the realm of intelligence communications agencies, where massive volumes of metadata are collected and then searched for patterns.

banner

The Intercept, which broke the story, is more accurate when it states that “an undisclosed WhatsApp vulnerability lets governments see who you message,” referring to the latter of the two issues—network-level monitoring or traffic analysis. “WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities,” it reads. WhatsApp’s engineers warned management that agencies are “bypassing our encryption… making it possible for nation states to determine who is talking to who.”

But wait—we already know WhatsApp can collect all of this information. As stated in its published privacy policy, it collects “information about your activity (including how you use our Services), how you interact with others using our Services (including when you search for and interact with a business), and the time, frequency, and duration of your activities.” Additionally, “even if you do not choose to use our precise location-related features, we use IP addresses and other information like phone number area codes, to estimate your general location.”

That is the first of the two issues. But if WhatsApp is conducting the gathering, it can protect its users. That protection is lost if the analysis is outside its control. “Our vulnerable users require strong and viable protections against traffic analysis,” the engineers advised.

However, words are vital here. The encryption is flawless and has not been compromised. Metadata is not encrypted, at least not in the end-to-end sense that we associate with WhatsApp encryption. As a result, WhatsApp can collect and transmit such information if a government agency properly requests it.

“WhatsApp does not store message logs once the messages are delivered or transaction logs of such delivered messages,” according to the company—but “in order to comply with a valid legal request… WhatsApp may start collecting message logs and call logs for a particular user indicating who the communication was to or from, the time it was transmitted and from which IP address, and the type of communication.”

And, as ESET’s Jake Moore cautions, “With pressure from governments around the world to have more access to intelligence and police evidence, Meta may have agreed to find some sort of middle ground.” Although the content of these conversations is kept secret, it is concerning that so much other sensitive information can still be read and evaluated.”

This topic isn’t about collecting that data; it’s about how and who collects and shares it.

With perfect timing, just as this WhatsApp metadata story was making the rounds, Telsa/Starlink CEO Elon Musk, fresh off his recent attack on Signal, has now alerted his 185 million X followers about WhatsApp’s metadata mining methods. “WhatsApp exports your user data every night,” he wrote. “Some people still think it is secure.”

Musk’s comments came in reaction to an X post that stated, “WhatsApp exports user data nightly, which is analyzed and used for targeted advertising, making users the product, not the customer.” Again, this risks confounding WhatsApp’s content security with Meta’s data collecting and analysis. It has This has always been WhatsApp’s Achilles’ heel.

However, the optics will not assist WhatsApp, especially with another story running concurrently.

There has been no claim that WhatsApp content has been compromised, hence the encryption remains intact. We understand that there is a possibility of an endpoint (device) breach to access content, but any nation-state that has broken the transmission crypto has been very quiet about it.

Let’s assume the protocol, which is a variation of Signal’s, remains intact.

This is about the metadata. This is a question of data storage and policy. WhatsApp says it can save metadata, whereas Signal, for example, insists it cannot. This is one of the reasons Signal is more secure.

However, when it comes to network traffic analysis, the stakes differ. The conclusion here is that network monitoring on a large scale can examine IP addresses and other identifiers to determine traffic patterns between persons while maintaining core encryption.

This is nothing new. Relationship maps that implicate so-called clean skins based on who they connect with—if you contact terrorists or criminals, you’re probably worth investigating. Such data processing also allows for communication fingerprinting. If you can collect the metadata, you can, for example, associate a burner phone with a certain person based on their unique communication patterns.

This is a big worry. As The Economist wrote earlier this week, “It is dangerously easy to hack the world’s phones…a system at the heart of global telecommunications is woefully insecure.” This refers to SS7, the insecure and antiquated data exchange protocol that connects phone networks. While this exposes unencrypted communications to full intercept, it also allows for the large-scale gathering of metadata.

The way this current WhatsApp report is worded, it appears that government agencies have discovered a technique to siphon or intercept WhatsApp metadata and pattern analyze it on a large scale. Perhaps in a more detailed manner than simply “hoovering-up data”. Another claim is that this compromised those in Gaza and served as a platform for Israeli target selection.

In truth, this is most likely just a creative application of time-honored network data collection and analysis with more powerful processing. Meta told The Intercept, “WhatsApp has no backdoors, and we have no evidence of vulnerabilities in how WhatsApp works.” Nothing in this narrative shows otherwise.

WhatsApp CEO Will Cathcart responded to The Intercept on X, saying, “There is no evidence of a vulnerability in WhatsApp, and this piece risks causing a lot of confusion for consumers who rely on end-to-end encryption… We debate potential or emerging risks internally, often heatedly, because it is how we identify ways to add even more protection to WhatsApp.”

However, The Intercept’s Sam Biddle responded to Cathcart: “Meta appears to be taking the stance that this is not a vulnerability in WhatsApp. I will now quote verbatim from their internal assessment of the situation: ‘WhatsApp should mitigate the ongoing exploitation of traffic analysis vulnerabilities.’”

So let’s keep it ridiculously simple. If you have cause to believe that any agency is tracking you, your location, or your connections, you should avoid using a platform owned and run by Meta, also known as Facebook. “Other available privacy-focused messaging apps offer ironclad protection which can be used by those favouring privacy over convenience,” Moore states.
So, should you be alarmed? Only if you have more than just content to worry about. If that’s the case, you should consider switching to something different. WhatsApp declined to comment on the suggestion that it should do more to “mitigate” continuous traffic analysis, so millions of users with specific issues should look into choices.

You can take certain steps to shield yourself from traffic analysis, but it is a poor gathering approach. Shield your IP address, change devices frequently, be sceptical of groups where you cannot personally verify the names of all members, and disable all location monitoring on your phone.

If you do not make such efforts, as Moore suggests, “communication and location data may appear pointless, but this can be integrated with other available information to develop a larger profile image. Furthermore, if this material is ever leaked, it might cause additional harm to people concerned, so it must be protected.”

Vesta Daily
Author: Vesta Daily

You may also like

Leave a Comment

Vesta Daily is a world-class authentic media outlet, that aims at bringing credible and relevant news in Sports. Politics, Business, Economy, Showbiz, Sex & Relationship, Lifestyle and many more

© Copyright 2024 Vesta Daily. All rights reserved powered by vestamultimedia.com

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00
Verified by MonsterInsights