WhatsApp leads the messaging world—with more than two billion users now sending 100 billion messages each day. The Facebook-owned platform popularized the idea that secure messaging could be simple and universal. But, as good as that security might be, it’s not enough—and we have seen news this week that should serve as a serious warning that there’s more you must do to keep your WhatsApp account secure.
Anyone reading this article likely knows that you need to use end-to-end encrypted messaging by default. If you don’t, then your content—all those messages, photos, videos, shared financial and medical data—is vulnerable to interception. But end-to-end encryption is only half the story. It secures your data when as it travels to and from your device. It prevents “over the air,”network or server interception. But once that data is received on a device, those protections come to an end.
This week, there were three stark reminders of this. First, headlines suggesting that WhatsApp’s uber-secure rival Signal, whose protocol is used by WhatsApp itself, had been hacked. Those headlines were prompted by an Israeli security firm announcing a “new solution for decrypting the Signal app.” As one newspaper reported, the company claimed “its tech can now crack Signal, regarded as the most encrypted app and commonly used by journalists to communicate with sources.”
Second, there was a frightening if obfuscated sidebar to the array of antitrust lawsuits now raining down on Facebook. This one, in Texas, alleged that Facebook and Google had cooked up a “backroom deal” to allow Google access to WhatsApp backups on Google’s Cloud. We await the detail, to see whether these claims are as alarming as they seem. Whatever the outcome, though, it does shine a light on a genuinely serious issue, and another reason WhatsApp’s users need to change their settings.
And third, the big one. The SolarWinds hack of U.S. government and commercial sites, the biggest cybersecurity story in recent years, hammered home—in an instant—why end-to-end encryption is so needed. No security conscious users of such platforms need worry that their messaged data was compromised on anyone’s servers, at least not while it was traveling from sender to recipient. There were no keys to any backdoors that could be stolen from deep within a security agency’s digital vault.
What happened to that information once it had reached its endpoint, though, that’s a different story. That’s the issue here. Endpoint compromise.
But let’s start with those claims that Signal’s—and, by implication, WhatsApp’s—marquee encryption has been “cracked.” Is that really the case? Actually, no. As Signal fan Edward Snowden pointed out, this had nothing to do with end-to-end encryption. This was a solution to hack the Signal database on an unlocked or compromised phone, requiring physical control of the device. “That’s it,” he said. “There’s no magic.”
Signal and WhatsApp decrypt end-to-end encrypted messages and then store those in a folder on a user’s device. That folder is encrypted. The claims being made are that with physical access to a device, a law enforcement agency or bad actor could download that folder and decrypt its contents. Without physical access to the device or a highly sophisticated compromise of the device, to secretly exfiltrate those files over the air, that cannot be done.
As ESET’s Jake Moore, a former police officer and digital forensics expert, explains, “end-to-end encryption means messages cannot be intercepted by law enforcement in transition between devices. However, their way around this is by gaining access to the device itself and using specialist tools—often only supplied to law enforcement.”
Of course, if someone has access to a device—the passcode, for example, then they will have access to that message store anyway. As Telegram warns its own users, “we cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers.”
“Decrypting messages and attachments sent with Signal has been all but impossible, until now,” the security firm, Cellebrite, said in an early version of its announcement, since deleted. “Decrypting Signal messages and attachments was not an easy task—it required extensive research on many different fronts to create new capabilities from scratch.” The account included details, also since deleted, on how the physical compromise worked.
“This shows the power of digital forensics,” Moore told me, “and what can be achieved even when data is placed in unallocated clusters (deleted space) on devices. Luckily though, Signal still cannot be compromised whilst in transmission, making it still the safest bet when sending private messages.”
As security expert Sean Wright points out, “end to end encryption is only to protect the transmission of the data, it won’t protect the data on the device itself, and it has never been touted to do as such. Which is why having things such as a passcode and disk/device encryption is so important. But for even better protection, don’t let anyone else get their hands on your device. Don’t leave you mobile device lying around.”
And so to the second issue, cloud compromises. WhatsApp’s preferred (and only—in the case of iOS), backup option is to Apple’s or Google’s cloud. If you allow WhatsApp to save this cloud backup, then this is the same locally encrypted version of the decrypted messages on your device. As such, it’s accessible to Apple or Google, if law enforcement comes calling, for example. This is why Signal doesn’t offer any form of cloud backup support—losing control of your data is losing control of your data.
Advising WhatsApp users to switch off this backup option is difficult. If you lose your device, it’s the only way to restore your messages. Unlike Signal or iMessage or Messenger or Telegram, there is no genuine multi-device offering with WhatsApp, there is only one message database, the one on your phone. But once you backup data to the cloud, you give up physical control of that data, much like handing over your phone. Clearly, each user needs to decide for themselves the right balance between a data backup in case of a lost device versus the integrity and security of that data.
The stark reality is that cloud backups of end-to-end encrypted messages invalidates that end-to-end encryption. Unless you are especially wary of losing your phone, it’s best turned off. iCloud remains WhatsApp’s recommended way to transfer messages when you update to a new iPhone, but now Apple’s direct transfer works brilliantly, duplicating your old device to your new one, you don’t need iCloud in the same way.
There’s also another setting you should now change in WhatsApp. If the data isn’t there, then it’s not at risk. While you can’t control what happens to messages you send to others—they may copy or screenshot them, if those messages disappear after a set time, the chances are they’re gone for good. WhatsApp has added a disappointingly basic version of the functionality—seven days is the only option and there’s no easy toggle for individual messages within a chat. Hopefully they will change that and more closely match the options now being offered by rivals.
For any especially sensitive data, the advice is to set the message to disappear. This includes financial or medical information, anything personal or compromising. If it doesn’t need to be stored on someone else’s phone, potentially in their cloud backup, then set it to disappear. Short time windows, as offered by Signal, are best. But the seven day option is better than leaving such data to sit in message histories for ever.
If you keep your device secure, don’t allow it to be compromised, and don’t backup up secure data to the cloud, then the only way to access you data is with a backdoor. And so to the third issue, the devastating SolarWinds hack.
There are no backdoors into WhatsApp or Signal or iMessage—but law enforcement and security agencies want these introduced. The counter argument from the privacy lobby is that once a backdoor is introduced, bad actors will steal the keys, and the security of those platforms will be fatally flawed. As such, the safety of politicians and dissidents and lawyers and reporters in dangerous parts of the world will be at risk. SolarWinds shows that there can be no such thing as absolute protection for such a potential vulnerability once it’s introduced, there’s nowhere safe enough to keep it.
“We cannot understate the danger of lawmakers around the globe pushing legislation that would require technology companies to build so-called ‘backdoors’ into their software,” Wickr CEO Joel Wallenstrom has warned. “The impact of this would have a devastating impact on all facets of society… Breaking E2EE would come with tremendous risks to global businesses, jeopardizing the lifelines of modern society—critical innovations in industry, global commerce and financial transactions, to name a few.”
Absent such drastic legislative change, the issues are simple to deal with. If WhatsApp is serious about security, if it really is “in our DNA” as they say, then there are lessons to learn from Signal. Weaknesses around metadata capture, cloud backups and image downloads need to be addressed. Unlike WhatsApp, every potential vulnerability in Signal has been locked down. There are no cloud backups, no metadata capture, no default downloads. But this latest news shows that even Signal, despite all this, can be potentially vulnerable to an endpoint compromise.
But the advice here is much broader. Control of your data is control of your data. If you lend someone your phone or plug that phone into unknown machines or chargers. If you backup data to a big tech cloud without a thought as to what you’re saving and who might have access, then you’re running risks. Those stories this week should be the warning we need to be mindful of how we secure what’s private to ourselves.
WhatsApp is the world’s leading messenger. Many of those reading this will use Signal, but almost everyone will use WhatsApp. I have advised previously on setting a 2FA code to prevent account hijacks, disabling default media downloads to prevent hacks, and protecting metadata to protect your privacy. Now you can add disabling cloud backups and making use of expiring messages to this list. If you do these things, you will make WhatsApp much safer and much more secure.