Wissen | Know-how
As part of an article for c't magazine, the heise Security team investigated WhatsApp's end-to-end encryption. The results show that WhatsApp might use TextSecure's exemplary encryption designed by Moxie Marlinspike, but implements it in such a fashion that is of little use in the real world.
When the developers of the TextSecure crypto-messenger announced at the end of 2014 that WhatsApp was now using the end-to-end encryption protocol developed by them, this created significant interest in the media. It didn't take long for this interest to completely die down, however. Many users are still asking themselves if they can trust the app keep their conversations private or if Facebook sucks in all of their messages. To answer this question for the article "WhatsApp entschlüsselt" in c't 11/15, we looked at the encryption as it is currently used by the service.
Since the client software is proprietary, we concentrated on the messages going over the wire. For this purpose, we attacked the problem from two sides: We investigated the traffic going from the smartphone to WhatsApp's servers and we handled received messages with the Python tool yowsup. Since its libraries are open source, we could document what was decrypted where to show us the messages in plain text.
Man-in-the-middle with Wireshark
While looking at the smartphone traffic, we interject ourselves between the sending device and the wireless router. Using ARP spoofing, we trick the device into thinking we are the router and tell the router we are the smartphone – a classic man-in-the-middle attack. This way, all network traffic bound for and sent by the smartphone passes through us. Using a plugin for Wireshark, we were able to look into the data packets sent by WhatsApp. However, we were only able to see the management information of the Jabber-like protocol used by WhatsApp. The content of the messages was – as we expected – unreadable binary.
As other researchers have documented, WhatsApp uses a proprietary encryption in transit that is based on the problematic RC4 algorithm. This means it can be successfully attacked as RC4 has to be considered broken. In addition to this, the app seems to use the same key – derived from a user password – for both incoming and outgoing communication which enlarges the attack surface further. This means that while the encryption in transit can in principle be broken, it prevents mass data collection, say on Internet backbones.
If someone would want to analyse WhatsApp messages en masse, this leaves the WhatsApp servers as the place to do it since they decrypt the transit encryption and could therefore evaluate and store the plain text of all messages. At least if there is no end-to-end encryption in place to prevent this. If such protection is actually in place, as was claimed by Moxie Marlinspike, hasn't been documented until now. WhatsApp never officially talked about the topic of end-to-end encryption (E2E) as it applies to their service. To force the issue, we decided to examine messages sent by an Android phone for ourselves. According to Marlinspike, these messages should already be secured by E2E if the receiving side supports it as well.
Open Source to the Rescue
The receiving end of the conversation we created ourselves. The open source tool yowsup can be used to script the sending and receipt of WhatsApp messages on a server or desktop PC. The current versions support an experimental
--moxie flag that allows to start its WhatsApp client with support for E2E encryption. In our case this has a clear advantage over the official client: Not only yowsup's source code is open, it also includes a port of TextSecure's axolotl encryption by the same developer that is open source, too. This allowed us to follow all steps from receiving encrypted data over the Internet to printing out the cleartext of the message.
For our experiment we checked out the Python code from the yowsup project's GitHub repository and patched in additional debug output in a few places. Our changes cause the code to print the received ciphertext to the command-line before it is decrypted. To show the ciphertext, which is stored in memory in binary form, our logging code transforms it to hex before printing it out. And we indeed observed only ciphertext being sent by Android smartphones at this point.
Now the code calls the axolotl library and causes it to decrypt the message. Another of our changes to the code then prints out the cleartext of the message using the debugger. As we could observe, the decrypted message is indeed shown.
This shows that in our tests Android smartphones exclusively sent end-to-end encrypted messages to receivers capable of E2E encryption. And these messages were encrypted according to the TextSecure protocol. Whenever we tested this with iOS clients, received messages weren't protected in this way.
As part of our analysis of the network traffic we did not find any evidence that would point to the WhatsApp client also sending the same data without E2E protection to the servers. At this point we do have to go into the frustrating list of things we could not show with our experimental setup. For example: We do not know if E2E encryption is actually used in all cases where this is possible or if it is switched off when certain criteria are met – such as requests by intelligence services or when the device is in use in a certain country. We do know that turning off the encryption is built into the design after all: WhatsApp clients sent messages without E2E encryption to iPhones, for example.
We also don't know if the secret keys generated by the WhatsApp client leave the device under certain circumstances. But as long as WhatsApp can tell any client to drop its encryption and users don't have a chance to notice this, getting the keys is probably a low priority anyway.
This seems to be the core problem with WhatsApp's end-to-end encryption: You never really know if it is actually being used. Neither when sending nor when receiving messages with the official WhatsApp client is there any indication if E2E encryption is in place. Our lab tests only show that messages are encrypted in principle but that is not enough for dependable use in the real world. Even heavier weighs the fact that, as far as we know, WhatsApp has never committed to guarantee its users E2E encryption. E2E encryption with WhatsApp therefore remains a token effort.