AN FBI contractor says they have found a way to hack WhatsApp’s encryption key system – which quietly closed a loophole in its security of iCloud backup features – that was implemented in late 2016.
WhatsApp and various other messaging services have come under fire in recent years, be it the government or black hat hackers launching the attacks. You’ll recall the subpoena the US government brought to Apple when the company refused to unlock the iPhone of the San Bernardino bombers, or the notorious hacking of the emails of various politicians all around the globe.
Slowly but surely, privacy has become the frontline battle of the digital age, as many privacy advocates predicted in the early years after Sept 11.
— World Economic Forum (@wef) May 9, 2017
WhatsApp first added encryption keys to the app, thus securing the iCloud backups where messages and contacts are uploaded up to. The presence of the encryption key in the app ensures the iCloud Drive is not the first and last point of protection of customer data, thus making it difficult for anyone to access it.
“When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted,” a WhatsApp representative told Forbes.
However, Forbes reported a third-party company called Oxygen Forensics, who contracts out to the FBI, told them they were able to develop features that could circumvent WhatsApp’s encryption key, though it could only happen in a very specific scenario.
The company, which supplies mobile and cloud hacking tools, hails from Russia.
Rival Russian forensics firm Elcomsoft CEO Vladimir Katalov explained when messaging data is uploaded to the iCloud Drive and a verification code sent by the company has been entered, a unique encryption key is generated and used to seal the data away from unintended eyes. Even if one could download that data, they would need the original iPhone and then undergo that verification process again before any information could be decrypted.
Oxygen Forensics hacks that process by obtaining a SIM card with an identical phone number to obtain a verification code and generate an encryption key. It sounds pretty straightforward, but it requires Oxygen to have access to the user’s Apple ID and password as well.
According to Katalov, this would be useful if the iPhone had its information wiped, but the iCloud backups remained intact.
Thus far, many technology companies have pushed back against political pressure to cave to the demands of national security hawks.
FBI director James Comey revealed in a Senate hearing the agency was blocked from accessing the data in more than 3,000 devices in the first half of the fiscal year, despite having legal authority to do so.
The legal battle with Apple mentioned earlier ended with the agency engaging a third party to hack the device, but the fallout has resulted in an eagerness by law enforcement forces for legislation to outlaw end-to-end encryption.
In Asia, it’s evident what happens when governments get their hands on private correspondences; China’s repressive atmosphere is largely a by-product of the government’s watchful eye on many forms of communication. A similar state of affairs is evident in Singapore, where the ruling party has large swathes of influence over public discourse and media content.
India and Malaysia have called for policies to crack down on the spread of “offensive content” and “fake news”, respectively. India has gone a step further: a ruling in the courts on the spread of false information resulted in the arrest of a WhatsApp administrator in Karnataka who shared an “ugly and obscene” Photoshopped image of Prime Minister Narendra Modi.
WhatsApp has been working to make end-to-end encryption widely accessible to mainstream app users. The company completed a rollout of the security technology across the many iterations of its app, and has also resisted pressure from enforcement units to hand over data. As a result of its recalcitrance, Brazil has blocked its service multiple times.
The company maintains it cannot hand over information it does not hold, but it is also necessary to point out the company’s moves are integral to protecting individual privacy and protection. Data security has become a particular point of contention in the digital world, especially in light of recent political developments that have branched out from the generally lackadaisical attitude most people have towards their personal information.
Even with a few exceptions here and there where it relates to physical security – albeit those instances must be examined individually – WhatsApp’s encryption services are an integral step in protecting ourselves in the cloud-based future.