If you use WhatsApp, Signal, Telegram and you think that end to end encryption is protecting you from hacks? Think again! Anyone reading this article knows that you need to use end-to-end encrypted messaging by default. If you don’t, then all the information on your phone including; messages, photos, videos, shared financial and medical data—is vulnerable to electronic surveillance. This encryption is only half the story. It secures your data when as it travels to and from your device this means it protects you from “over the air,” network or server interception. But once that data is received on a device, those protections come to an end.
Have you ever wondered why when persons of interest are arrested, the police remains with their smartphones and says it still doing further investigations? They are basically trying to utilize other backdoor features that apps like WhatsApp use for them to snoop through your messages even if the app is password protected.
WhatsApp’s super-secure rival Signal, whose protocol is used by WhatsApp as well, had been hacked. Those headlines were prompted by an Israeli security firm announcing a “new solution for decrypting the Signal app.” As one newspaper reported, the company claimed: “its tech can now crack Signal, regarded as the most encrypted app and commonly used by journalists to communicate with sources.”
How law enforcement guys do their hacks
Is it true that Signal or WhatsApp’s secure encryption was hacked? Actually, no. As Signal fan Edward Snowden pointed out in a tweet, this had nothing to do with end-to-end encryption. This was a solution to hack the Signal database on an unlocked or compromised phone, requiring physical control of the device. “That’s it,” he said. “There’s no magic.” This are the same methods that law-enforcement uses.
WhatsApp and Signal decrypt end-to-end encrypted messages and then store those in a folder on a user’s device. That folder is encrypted. The claims being made are that with physical access to a device, police or bad actor could download that folder and decrypt its contents. Without physical access to the device or a highly sophisticated compromise of the device, to secretly exfiltrate those files over the air, that cannot be done.
If someone has access to a device—the password, for example, then they will have access to that message store anyway. Social Media apps like Telegram warn their own users, “we cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers.”
Security firm, Cellebrite says that decrypting messages and attachments sent with the Signal app has been all but impossible, until now. They said “Decrypting Signal messages and attachments was not an easy task—it required extensive research on many different fronts to create new capabilities from scratch.” The account included details, also since deleted, on how the physical compromise worked.
End to end encryption is only to protect the transmission of the data, it won’t protect the data on the device itself, and it has never promised to do such. Which is why having things such as app and device passwords and disk/device encryption is so important. But for even better protection, always keep your device to yourself and guard it jealously also don’t leave you mobile device lying around.
Cloud Infiltration
There have been allegations that Facebook and Google had connived a “backroom deal” for Google to be allowed to do WhatsApp backups on Google Cloud. This antitrust lawsuit was filed in Texas and whatever the outcome, though, it does shine a light on a genuinely serious issue, and another reason WhatsApp’s users need to change their settings.
Cloud compromises are a big issue when it comes to social media hacks. WhatsApp’s preferred (and only—in the case of iOS), backup option is to Apple’s or Google’s cloud. Android users are lucky in this case as they have the option to save backups on the device. But if you allow WhatsApp to save this cloud backup, then this is the same locally encrypted version of the decrypted messages on your device. As such, it’s accessible to Apple or Google, if law enforcement comes calling, for example. This is why Signal doesn’t offer any form of cloud backup support—losing control of your data is losing control of your data.
Advising WhatsApp users to switch off this backup option is difficult. If you lose your device, it’s the only way to restore your messages. Unlike Signal or iMessage or Messenger or Telegram, there is no genuine multi-device offering with WhatsApp, there is only one message database, the one on your phone. But once you backup data to the cloud, you give up physical control of that data, much like handing over your phone. Clearly, each user needs to decide for themselves the right balance between a data backup in case of a lost device versus the integrity and security of that data.
The stark reality is that cloud backups of end-to-end encrypted messages invalidates that end-to-end encryption. Unless you are especially wary of losing your phone, it’s best turned off.
ALSO READ: WhatsApp unveils new disappearing messages feature
There’s also another setting you should now change in WhatsApp. If the data isn’t there, then it’s not at risk. While you can’t control what happens to messages you send to others—they may copy or screenshot them, if those messages disappear after a set time, the chances are they’re gone for good. For any especially sensitive data, the advice is to set the message to disappear. This includes financial or medical information, anything personal or compromising.
There are no backdoors into WhatsApp or Signal or iMessage—but law enforcement and security agencies want these introduced and are always working with security companies in Israel to hack these social media apps.
