Update, 1/20/17: A post on the Technosociology blog signed by dozens of security experts calls for a Guardian retraction apology. This article has been updated to reflect this.
en Facebook’s atsApp turned on end-end-end encryption in its messaging service last year, it was a big deal. As all eyes were glued on Apple’s fight with the FBI over unlocking the San Bernardino shooter’s ione, atsApp took a huge step toward protecting its users’ privacy by moving to encrypt all messages calls being sent between its apps.
But a new report suggests it might not be as secure as users think. According to The Guardian, a serious vulnerability in atApp’s encryption could allow Facebook to intercept read messages unbeknownst to the recipient, only aware of by the sender if they have previously opted in to receive encryption warnings. The security flaw, which was discovered by Tobias Boelter, a cryptography security researcher at the University of California, Berkeley, can “effectively grant access (to users’ messages)” by changing the security keys resending messages.
“atsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol … to guarantee communications are secure cannot be intercepted by a middleman,” the paper wrote. “However, atsApp has the ability to force the generation of new encryption keys for offline users … to make the sender re-encrypt messages with new keys send them again for any messages that have not been marked as delivered.”
ile there is no evidence to suggest atsApp has used the flaw to surreptitiously intercept messages, Boelter says he reported the vulnerability to Facebook back in April 2016 but was informed that it was “expected behavior.” According to The Guardian the security flaw, which still exists in the latest version of the service’s encryption, is exasperated by atsApp’s habit of automatically resending undelivered messages without authorization by the user.
However, there is mounting evidence to suggest The Guardian’s claims are overblown even unfounded. According to the atsapp website, end-to-end encryption is always activated when using the service, there is no way to turn it off. Additionally, each conversation has its own optional verification process that can be used to verify that calls messages are end-to-end encrypted.
In a statement provided to , atsApp defended the “intentional design decision” slammed The Guardian’s characterization of it as false: “atsApp does not give governments a ‘backdoor’ into its systems would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, atsApp offers people security notifications to alert them to potential security risks.”
Additionally, a group of security experts signed a post on Technosociology.org titled, “A ea for Responsible Contextualized Reporting on User Security.” In the letter, they compare The Guardian’s report to publishing a headline that reads “Vaccines kill people.” “ile it is true that in a few cases, vaccines kill people through rare unfortunate side effects, they also save millions of lives,” they write.
In a lengthy post, the experts conclude that The Guardian’s report uncovered “a small unlikely threat,” explains in great detail how atsApp’s “behavior around key exchange when phone or SIM cards are changed is an acceptable trade-off if the priority is message reliability.” They urge The Guardian to retract the story apologize to readers, many of who “are switching to SMS Facebook Messenger, among other options—many services that are strictly less secure than atsApp,” they experts claim.
The impact on you at home: Hopefully, there is none. ile the flaw in atsApp certainly has the appearance of being nefarious, there is nothing to suggest that users’ messages are actively being compromised. That being said, it’s not a bad idea to head over to your account’s security settings turn on the Show security notifications toggle.
