WhatsApp has quietly beefed up the security of an iCloud backup feature for users of its messaging service — potentially closing a loophole that could enable otherwise end-to-end encrypted messages to become accessible in a readable form. Such as via a subpoena of Apple, which holds the encryption keys for iCloud, or by a hacker otherwise gaining access to a WhatsApp user’s iCloud account.
According to a Forbes report, the Facebook-owned giant added encryption to WhatsApp iCloud backups in late 2016, though it says the fact only emerged last week after a third party company which supplies mobile and cloud hacking tools claimed to be able to circumvent the security measure.
The company in question, Oxygen Forensics, told Forbes its workaround only works for a specific scenario whereby it has access to a SIM card with the same mobile number that WhatsApp uses to send a verification code to generate the encryption key for the iCloud backup.
A WhatsApp spokesperson confirmed iCloud backups are now being encrypted, telling Forbes: “When a user backs up their chats through WhatsApp to iCloud, the backup files are sent encrypted.”
Forensic tools are apparently used to download the encrypted WhatsApp data backed up to iCloud. Then, using the associated SIM, Oxygen Forensics said it can generate the encryption key for decrypting the data by passing the verification process again.
Forbes suggests the method could be used, for example, by police in possession of a device where the WhatsApp account has been deleted but iCloud backups have not been wiped.
We’ve reached out to WhatsApp with questions and will update this story with any response.
Political pressure on encryption appears to be hotting up again. Giving evidence to a Senate oversight committee earlier this month, FBI director James Comey revealed the agency had been unable to access the contents of more than 3,000 mobile devices in the first half of the fiscal year, despite having legal authority to access the data.
The FBI was involved in a high profile battle with Apple last year when it went to court to try to force the company to weaken its security system to help investigators gain access to a locked iPhone. Apple resisted and in the end the FBI paid a third party company to hack into the device. But the bureau appears eager to push for legislation to outlaw end-to-end encryption (i.e. where service providers don’t hold the encryption keys themselves).
During last week’s hearing Comey complained that a case-by-case approach to breaking into strongly encrypted devices and services does not scale, and backed fresh calls by Senator Dianne Feinstein for legislation to require companies decrypt data when served a warrant — setting the scene for another round of crypto wars in the US.
WhatsApp has been at the forefront of making end-to-end encryption more accessible for mainstream app users, completing a rollout of the tech across its platform and all flavors of its apps in April 2016. It’s also resisted legal attempts to strong arm it into handing over user data — such as in Brazil where its service has been blocked multiple times as a penalty for its failure to provide decrypted data to police. The company has maintained it cannot hand over information it does not hold.
Adding encryption to iCloud backups would appear to be a reinforcement of WhatsApp’s stance that user privacy is a necessity for data security. Albeit, one with a fair few caveats about how it has implemented the security layer here. Not enabling WhatsApp iCloud backups is a more perfect fix for avoiding the cloud storage vulnerability loophole, though one that might be inconvenient from the user’s point of view.