When WhatsApp added end-to-end encryption to every conversation for its billion users two years ago, the mobile messaging giant significantly raised the bar for the privacy of digital communications worldwide.
But one of the tricky elements of encryption—and even trickier in a group chat setting—has always been ensuring that a secure conversation reaches only the intended audience, rather than some impostor or infiltrator.
And according to new research from one team of German cryptographers, flaws in WhatsApp make infiltrating the app's group chats much easier than ought to be possible. At the Real World Crypto security conference Wednesday in Zurich, Switzerland, a group of researchers from the Ruhr University Bochum in Germany plan to describe a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. The team argues their findings undermine each app's security claims for multi-person group conversations to varying degrees.
But while the Signal and Threema flaws they found were relatively harmless, the researchers unearthed far more significant gaps in WhatsApp's security: They say that anyone who controls WhatsApp's servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.
"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them," says Paul Rösler, one of the Ruhr University researchers who co-authored a paper on the group messaging vulnerabilities. "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. And if not, the value of encryption is very little."
That any would-be eavesdropper would have to control the WhatsApp server limits the spying method to sophisticated hackers who could compromise those servers, WhatsApp staffers, or governments who legally coerce WhatsApp to give them access. But the premise of so-called end-to-end encryption has always been that even a compromised server shouldn't expose secrets. Only people in a conversation should be able to read WhatsApp's messages, not the servers themselves.
"If you build a system where everything comes down to trusting the server, you might as well dispense with all the complexity and forget about end-to-end encryption," says Matthew Green, a cryptography professor at Johns Hopkins University who reviewed the Ruhr University researchers' work. "It's just a total screwup. There's no excuse."
Group Threat
The German researchers say their WhatsApp attack takes advantage of a simple bug. Only an administrator of a WhatsApp group can invite new members, but WhatsApp doesn't use any authentication mechanism for that invitation that its own servers can't spoof. So the server can simply add a new member to a group with no interaction on the part of the administrator, and the phone of every participant in the group then automatically shares secret keys with that new member, giving him or her full access to any future messages. (Messages sent prior to an illicit invitation, fortunately, still can't be decrypted.)
Everyone in the group would see a message that a new member had joined, seemingly at the invitation of the unwitting administrator. If the administrator is watching closely, he or she could warn the group's intended members about the interloper and the spoofed invitation message.
But the Ruhr University researchers and Johns Hopkins' Green point out several tricks that could be used to delay detection. Once an attacker with control of the WhatsApp server had access to the conversation, he or she could also use the server to selectively block any messages in the group, including those that ask questions, or provide warnings about the new entrant.
"He can cache all the message and then decide which get sent to whom and which not," says Rösler. And in groups with multiple administrators, the hijacked server could spoof different messages to each administrator, making it appear that another one had invited the eavesdropper, so that none raises an alarm. It could even prevent any administrator's attempt to remove the eavesdropper from the group if discovered.
Some Limits
In a phone call, a WhatsApp spokesperson confirmed the researchers' findings, but emphasized that no one can secretly add a new member to a group—a notification does go through that a new, unknown member has joined the group. The staffer added that if an administrator spots a fishy new addition to a group, they can always tell other users via another group, or in one-to-one messages. And the WhatsApp spokesperson also noted that preventing the Ruhr University researchers' attack would likely break a popular WhatsApp feature known as a "group invite link" that allows anyone to join a group simply by clicking on a URL.
“We've looked at this issue carefully," a WhatsApp spokesperson wrote in an email. "Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user. The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”
To be fair, this technique wouldn't be a very stealthy strategy in the long run for government spying. Sooner or later, users would likely notice that unexpected strangers were showing up in their chats. But that possibility of detection isn't an adequate solution to WhatsApp's underlying problem, argues John Hopkins' Green. "That's like leaving the front door of a bank unlocked and then saying no one will rob it because there’s a security camera," Green says. "It's dumb."
The Ruhr University researchers say they alerted WhatsApp to the problem with group messaging security last July. In response to their report, WhatsApp's staff say they fixed one problem with a feature of their encryption that made it harder to crack future messages even after an attacker obtained one decryption key. But they told the researchers the group invitation bug they'd found was merely "theoretical" and didn't even qualify for the so-called bug bounty program run by Facebook, WhatsApp's corporate owner, in which security researchers are paid for reporting hackable flaws in the company's software.
For some of WhatsApp's users, the stakes of the app's security could be high. WhatsApp's convenient group messaging system, in combination with its encryption promises, have made it a popular tool for "whisper networks" of grassroots organizing around sensitive or dangerous topics. Victims of sexual abuse and harassment have used it to organize the campaign against abusers, for instance. So have political insiders and Syria's embattled White Helmets, volunteer rescue brigades in Syria who are often targeted by the ruling regime.
But the shoddy security around WhatsApp's group chats should make its most sensitive users wary of interlopers, Rösler argues. If WhatsApp were to comply with a government request—in the US or abroad—agents could join any private group and listen along.
Smaller Problems
The researchers dug up less serious flaws in the more specialized secure messaging apps Signal and Threema, too. They warn that Signal allows the same group chat attack as WhatsApp, letting uninvited eavesdroppers join groups. But in Signal's case, that eavesdropper would have to not only control the Signal server, but also know a virtually unguessable number called the Group ID. That essentially blocks the attack, unless the Group ID can be obtained from one of the group member's phones—in which case the group is likely already compromised. The researchers say that Open Whisper Systems, the non-profit that runs and maintains Signal, nonetheless responded to their work, saying that it's currently redesigning how Signal handles group messaging. Open Whisper Systems declined to comment on the record about the Ruhr researchers' findings.
For Threema, the researchers found even smaller bugs: An attacker who controls the server can replay messages or add users back into a group who have been removed. The researchers say Threema responded to their findings with a fix in an earlier version of its software.
As for WhatsApp, the researchers write that the company could fix its more egregious group chat flaw by adding an authentication mechanism for new group invitations. Using a secret key only the administrator possesses to sign those invitations could let the admin prove his or her identity and prevent the spoofed invites, locking out uninvited guests. WhatsApp has yet to take their advice.
Otherwise, they'd be wise to keep a vigilant eye out for any new entrants sliding into their private conversations. Until an administrator actively vouches for that newcomer, there's a small chance he or she might just be something other than a new friend.
Download SafeUM — communicate privately, without advertising and spam.
