Exploiting WhatsApp’s Retransmission Vulnerability: A Real-Life Attack Scenario

Here is a possible scenario:

  • Alice lives in an oppressive government. She communicates with journalist Jonas over WhatsApp with the intent to leak information about a political scandal.
  • Afraid of being revealed, Alice one day panics and destroys her phone without telling Jonas.
  • A day later, Jonas sends her a message ‘Is it okay if I name Bob as the source?’. Alice of course doesn’t receive that message because her phone is gone.
  • The government instructs the telecommunication service provider to identify a new phone as having Alice’s number. They go back online, verify to WhatsApp that they own Alice’s phone number and announce a new keypair so that they can read any messages that are sent to ‘Alice’ in the future.
  • Jonas’ WhatsApp recognizes that Alice seems to be back online with a new key. Because the last message hasn’t been transmitted yet, Jonas’ WhatsApp will automatically resend that message and encrypt it with the new key. (If Jonas has turned on his security notifications, he will be told that Alice has a new key, but he won’t be asked if it’s safe to re-encrypt the message for the new key.)
  • The government can now read Jonas’ latest message and learns that Bob leaked the information.

Tobias Boelter explains this in a similar way in his blog post:

Imagine you dump your phone into the ocean and only a month later you get a new phone. Then during this one month time period, some friends might’ve sent you messages. In WhatsApp, your friends’ phones are being instructed to automatically re-encrypt and retransmit. But they don’t know if they are sending the messages indeed to you or the government. Then, and only if your friends specifically asked WhatsApp to do so, they will see a warning that there could’ve been something shady going on. Signal, on the other hand, will tell your friends something like ‘there might’ve been something shady going on. Do you want to resend your message?’

Currently, there is no setting in WhatsApp that needs a sender to confirm if they want to re-encrypt a message for a changed key if the message has not been delivered yet. However, if the message has been delivered, the sender can’t be tricked into re-encrypting it.

As I understand it, Facebook is concerned that adding a confirmation dialog for retransmission with changed keys impacts the user experience in a way that drives WhatsApp users away to less secure messengers, having an overall negative impact on people’s security. On the other hand, Boelter argues that the added security of such a feature outweighs the minor impact on usability.

Leave a Reply

Your email address will not be published. Required fields are marked *