Sign in

HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber

Default set to keep texts from prying eyes

Kieren McCarthy in San Francisco Tue 18 Nov 2014 // 22:50 UTC

WhatsApp has announced that it will encrypt all its 600m users' text messages by default, which is a serious stride forward for privacy - and one which will no doubt be criticised by spooks and police worldwide.

The rollout, announced today, was described by the app maker as the "largest deployment of end-to-end encryption ever.” The feature will, it's hoped, safeguard messages from eavesdroppers by encrypting chats between people.

There are limits to Facebook-owned WhatsApp's end-to-end encryption. So far, it only covers text messaging (as opposed to group messages or pictures), it only works on Android, and it remains open to potential man-in-the-middle attacks because there's no way to verify the identity of the person you're messaging.

Whisper Systems – the company behind the TextSecure software used for the encryption – said in a blog post that it was working on those issues, but nevertheless seems justifiably pleased with itself.

"We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default," it said.

WhatsApp is estimated to have 600 million monthly active users cranking out billions of messages every day.

The open-source TextSecure software allows two devices to exchange encryption and decryption keys in a way that an eavesdropper and the TextSecure servers cannot crack. Assuming WhatsApp uses the same system, and hasn't compromised it for the feds, WhatsApp can't decrypt messages in transit, and TextSecure encrypts data at rest. It uses Curve25519, AES256, and HMAC-SHA256 to protect chats over the wires.

The software also provides perfect forward secrecy by using new AES keys for each message: if an attacker is able to decrypt one text, past messages cannot be cracked using that unique key.

Apple's iMessage system, according to Cupertino [PDF, page 30], works along the same lines, except Apple manages a central database of public keys: every registered iThing and Mac has its own private-public key, with the public keys stored in the iCloud, and every message sent to someone is encrypted using the public keys for each of the recipient's devices.

This means a message sent to someone can be delivered simultaneously to each of the receiver's devices. If the feds were able to persuade Apple to silently and secretly create an extra public-private key pair for a target, with the g-men holding the private key to decrypt the chatter, well, that's another matter. Apple says it cannot decrypt messages because it doesn't hold users' private keys.

Wider picture

In the bigger scheme of things, simple and everyday messages and personal information wrapped up in hard-to-break encryption may soon become the norm. Up until now, encryption has either required extra effort or technical knowledge, use of a special service, or trusting third parties not to reveal your details even when faced with secret government orders.

Or to put it another way: when you are communicating with your mother or father over encrypted text, it's game over for crims and other miscreants, and a huge headache for the NSA and GCHQ.

US and UK government officials – and even the EU's top cop – accuse technology companies of hindering efforts against terrorism by encrypting data. With the head of the FBI demanding front-door access to encrypted phones, unbreakable encryption is not for the little people, in the authorities' eyes.

And yet Whisper Systems got $455,000 from the US government [PDF, page 17] to fund TextSecure development.

Speaking of money, the founder of WhatsApp, Jan Koum, announced yesterday that he had given $1m to the FreeBSD Foundation.

The Foundation "has helped millions of programmers pursue their passions and bring their ideas to life," he wrote on Facebook. The issue is personal for him: "I started using FreeBSD in the late 90s, when I didn’t have much money and was living in government housing. In a way, FreeBSD helped lift me out of poverty – one of the main reasons I got a job at Yahoo! is because they were using FreeBSD, and it was my operating system of choice. Years later, when Brian and I set out to build WhatsApp, we used FreeBSD to keep our servers running. We still do."

WhatsApp was bought for $19bn by Facebook, with the deal going through last month. ®

Batt-note

You may worry that there's a battery consumption issue, since the app will need to do extra computation on the phone itself to perform the encryption and decryption. But TextSecure is not known to be a power hog.

The chipsets used in today's smartphones and tablets often include electronics to perform encryption and decryption quickly in a power-efficient way, but it's not always supported: the crypto accelerators in Qualcomm's Snapdragon 805, for example, has no publicly available Android drivers, apparently. That processor is used in the Nexus 6 smartphone.

33 Comments

Similar topics

Other stories you might like

  • Black Hat security conference returns to Las Vegas – complete with hacks to quiet the hotel guest from hell

    And a very scary story of a job that went from white hat to murky shades of gray in the United Arab Emirates
    Iain Thomson in San Francisco Mon 9 Aug 2021 // 04:02 UTC

    In Brief After a year off due to a certain virus, the Black Hat and DEF CON security conferences returned to Las Vegas last week, just in time for the US government's attempts to foster more collaboration across the infosec industry.

    The newly appointed Security Director of the Cybersecurity and Infrastructure Agency Jen Easterly took to the virtual Black Hat stage last week (although there was a limited and well-spaced physical conference this year) and announced the Joint Cyber Defense Collaborative (JCDC), which she claimed would be a true public/private partnership to try to lock down security incidents by sharing data and skills.

    Microsoft, AWS, Google and several US telcos have signed up, but Easterly's keynote was particularly aimed at bringing in independent talent. Among the suggestions were increasing public sector salaries and taking a more flexible approach to hiring.

    Continue reading

  • Huawei reports severe revenue drop as US sanctions bite consumer business

    Chinese chipmaker SMIC also reports trouble getting the American kit it needs to expand
    Simon Sharwood, APAC Editor Mon 9 Aug 2021 // 02:31 UTC

    Chinese tech giant Huawei has reported a 29.5 per cent year-on-year plunge, blaming it in part on US sanctions, but also shrugged off the situation.

    The company last Friday reported H1 2021 revenue of CNY320.4 ($49.56B). H1 202 yielded CNY 454 ($70B) of revenue. The news wasn't all bad, because Huawei reported its net profit margin rose to 9.8 per cent – up from 9.2 per cent a year ago.

    Eric Xu, Huawei's rotating chairman, blamed the results on "a decline in revenue from our consumer business caused by external factors". That's an oblique reference to US sanctions that make it hard for Huawei to source the components it needs to make top-notch products – especially mobile devices.

    Continue reading

  • AI algorithms uncannily good at spotting your race from medical scans, boffins warn

    Plus: British MP wants to ban AI deepfake smut tools
    Katyanna Quach Sun 8 Aug 2021 // 11:01 UTC

    In brief Neural networks can correctly guess a person’s race just by looking at their bodily x-rays and researchers have no idea how it can tell.

    There are biological features that can give clues to a person’s ethnicity, like the colour of their eyes or skin. But beneath all that, it’s difficult for humans to tell. That’s not the case for AI algorithms, according to a study that’s not yet been peer reviewed.

    A team of researchers trained five different models on x-rays of different parts of the body, including chest and hands and then labelled each image according to the patient’s race. The machine learning systems were then tested on how well they could predict someone’s race given just their medical scans.

    Continue reading

  • SpaceX Starship struts its stack to show it has the right stuff

    Combined with its Super Heavy booster, Starship stood briefly as the tallest rocket yet
    Thomas Claburn in San Francisco Sat 7 Aug 2021 // 10:26 UTC

    The Jeff Bezos-bearing Blue Origin New Shepard rocket elicited attention for its shape when it launched last month.

    On Friday, rival billionaire Elon Musk's SpaceX Starship made a show of its size.

    SpaceX stacked its Starship SN20 upper-stage atop the company's Super Heavy booster at its facility in Boca Chica, Texas, to test the fit of the two components that together made the largest rocket ever built.

    Continue reading

  • Amazon delays return to office work until 2022 at the earliest

    Other Big Tech companies, however, still want workers in this autumn
    Katyanna Quach Fri 6 Aug 2021 // 21:04 UTC

    Amazon has delayed staff returning to its offices around the world from September this year to January 2022, as the Delta variant of the novel coronavirus continues to spread.

    “As we continue to closely watch local conditions related to COVID-19, we are adjusting our guidance for corporate employees in the U.S. and other countries where we had previously anticipated that employees would begin coming in regularly the week of Sept. 7,” the online bazaar said on Thursday. “We are now extending this date to Jan. 3, 2022. Our return-to-office timeline will vary globally in accordance with local conditions.”

    The pandemic has changed the way we work. Gone are the days where we need to commute into the office and work at our desks next to our colleagues. Recent surveys show that most people prefer working from home and don’t want to go back to the office much, if at all.

    Continue reading

  • All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability

    Security researchers found they could snoop on dynamic DNS traffic
    Thomas Claburn in San Francisco Fri 6 Aug 2021 // 19:34 UTC

    Until February this year, Amazon Route53's DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider.

    In a presentation earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak from security firm Wiz, described how they found a DNS name server hijacking flaw that allowed them to spy on the dynamic DNS traffic of other customers.

    "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," explained Tamari in a blog post. "Essentially, we 'wiretapped' the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices."

    Continue reading

  • Foxconn buys chip factory off Macronix in bid to break into the electric vehicle market

    Electronics giant must conquer its supply chain as US eyes domestic production
    Laura Dobberstein Fri 6 Aug 2021 // 15:37 UTC

    Taiwanese electronics giant Foxconn has purchased a chip plant for $90.8m from its compatriot, Macronix International.

    "Macronix is pleased to see the subject 6-inch wafer fab continue to make its contribution to Taiwan as Foxconn commits to have the fab be used as an important base for Foxconn to reinforce its semiconductor development plan and to meet the demand of electric vehicles," said Miin Wu, chairman and CEO of Macronix, in a canned statement on Foxconn's website.

    The sales agreement includes Macronix's 6-inch wafer fab and equipment, but no employees, in Taiwan's Hsinchu Science Park and is planned to close by the end of 2021.

    Continue reading

  • THX Onyx: A do-it-all DAC for the travelling audiophile

    Hi-res, MQA, DSD, supports Apple Music's highest quality – but is it worth the hassle?
    Tim Anderson Fri 6 Aug 2021 // 14:27 UTC

    Review Apple introduced hi-res lossless audio to its music service last month, but third-party hardware is required to enjoy it – if indeed the difference is audible. We took a look at the THX Onyx, a portable DAC and headphone amplifier that claims to be just the thing.

    There is a strange cocktail of ingredients that flavours the music and audio industry. There is a drive towards greater convenience, which means streaming music and true wireless, as popularised by Apple's Bluetooth-driven AirPods, first introduced in September 2016. Then there is a push towards higher quality, with vendors touting higher resolution such as 24-bit 192kHz digital, or exotic formats such as DSD (Direct Stream Digital), MQA (Master Quality Authenticated) – all of which are supported by the THX Onyx – and Dolby Atmos/Spatial audio, which is a new approach to surround sound.

    These two demands sometimes pull in opposite directions. Streaming audio has largely meant lossy compression, formats such as MP3 and AAC (Advanced Audio Coding), which reduce data size by omitting parts of the signal that are inaudible or hardly audible. Wireless has largely meant Bluetooth audio, for which none of the available codecs are lossless. Lossy compression at levels like Apple's 256 Kbps AAC is excellent and not an issue for most people yet there remains the nagging annoyance that it is potentially compromising quality for the sake of convenience and efficiency.

    Continue reading

  • Does the world need another cross-platform framework? Tough, here's JetBrains with Compose Multiplatform

    'A different way of thinking about applications' says project lead
    Tim Anderson Fri 6 Aug 2021 // 13:32 UTC

    An open-source Kotlin framework for cross-platform applications, based on Jetpack Compose for Android, is now in preview.

    Google's Jetpack Compose is an official framework for building a user interface in an Android application, and reached version 1.0 last week, at the same time as the first stable release of Android Studio, 2020.3.1 or "Arctic Fox".

    Despite only just hitting 1.0, Google said: "There are already over 2,000 apps in the Play Store using Compose – in fact, the Play Store app itself uses Compose."

    Continue reading

  • Your Computer Is On Fire, but it will take much more than this book to put it out

    Detailed diagnosis of tech industry delusion falls short of prescribing a cure
    Lindsay Clark Fri 6 Aug 2021 // 12:32 UTC

    Book review Seasoned industry watchers will welcome Your Computer Is on Fire as a thorough and unflinching debunking of Big Tech's outlandish self-mythologising. They might even hope that governments, business, and the media organisations who buy into the barrage of propaganda start to ask a few important questions. But there are limits to this niche text that is at times prone to academic navel-gazing.

    In the 1990s, despite the outward differences between the industry big guns, the background hum was the same. The internet offered opportunity for all, ecommerce could lead to frictionless economics, software made people more productive, and companies more competitive. Such delusions survived the dotcom crash and financial crisis then re-emerged in the early days of social media as the Arab Spring became a use case for the positive impact of Twitter and Facebook. Together with that movement's difficult development, the nefarious exploitation of social media user data that contributed to the election of US presidential regime with ever-so-slightly insurrectionist tendencies should have given pause for thought.

    It's a wonder, then, that tech industry propaganda has barely shifted. Instead, it's a case of different tech, same tune. Last month, Google CEO Sundar Pichai told the BBC that AI would be the "most profound technology" that humanity will ever develop. Similarly, UK Cabinet Office minister Julia Lopez adopted industry language when she said that "now, more than ever, digital must be front and centre of government's priorities to meet user needs."

    Continue reading

  • Flushing roulette: Southern Water installing digital sewer monitors to prevent blockages

    Plan to deal with fatbergs NOT related to that £90m fine for dumping effluent into sea on England's south coast
    Paul Kunert Fri 6 Aug 2021 // 11:34 UTC

    Where's there's muck there's brass, and there won't be many places more mucky than a sewer system as bidders for a network digitalisation contract in southern England are about to rediscover.

    According to a tender published this week, Southern Water is wading through the market to sniff out a supplier to "significantly and rapidly improve the visibility of the gravity wastewater network."

    "We plan to achieve this by installing 10,000's (up to 30,000 across Kent, East and West Sussex, Hampshire and the Isle of Wight) of sewer monitors and developing in parallel the associated analytics to make appropriate and effective use of the additional information to prevent sewer blockages developing into a pollution or flooding incident," the document states.

    Continue reading

Biting the hand that feeds IT © 1998–2021

Do not sell my personal information Cookies Privacy Ts&Cs