London Attack using WhatsApp — An Open Invitation to Terrorists and Hackers?

In the aftermath of the recent attack in London by an alleged terrorist, the popular WhatsApp messaging service has itself become a target of the British Government. The U.K. Home Secretary, Amber Rudd, wants WhatsApp to make end-user content available to British intelligence services.

This follows disclosure that the attacker used the messaging service shortly before launching the violent aggressions that claimed the lives of four people.

This is not the first time that a government has pressured a major IT vendor or service provider to give it access to private end-user information. After a deadly attack in San Bernardino, California, the FBI demanded that Apple should hand over the passcodes to unlock an iPhone used by one of the attackers. Apple stood firm on its end-user data privacy policy. Finally, the FBI cracked the codes using other resources.

For WhatsApp, however, the situation is slightly different. The founders of the messaging service went on record in April 2016 at the time of full encryption of WhatsApp to say that only the user-designated recipient of a message could read that message. In other words, not even WhatsApp engineers can decipher end-user message content. There is no backdoor designed into the system to make such access possible.

This would not prevent security agencies from finding and exploiting vulnerabilities in the WhatsApp code, if such vulnerabilities existed. The recent revelations by WikiLeaks about the covert exploitation by the CIA of flaws in popular mobile operating systems indicates possibilities. However, if no weaknesses were immediately detectable in WhatsApp, the service provider’s developers would have to deliberately create one (a backdoor), if they were to meet current UK official demands.

A purpose-built security hole would then pose a problem in terms of possible cyber-criminal attacks, not to mention the difficulty for WhatsApp to defend its decision with its user base, following its previous position on upholding the confidentiality of its users’ messages. Nonetheless, for the moment, it is unclear whether UK surveillance rules could be used to make a US-based firm comply.

Rudd also made an additional telling statement, when she said, “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other”. The risk of weakening WhatsApp’s security posture for end-users is of course that terrorists will simply switch to another platform for their communications. Law enforcement agencies are then likely to always be one step behind, even if they manage to persuade or coerce different vendors into providing them with access to end-user data.

Law-abiding citizens and organizations may be negatively affected by such modifications to their favorite apps and the damage to their privacy, but at least they can know what the security status of the app is at any given time. AppInterrogator and Recon from Mi3 Security test apps of all kinds to show this information rapidly and reliably, providing users with an objective, easy-to-understand rating about the safety of using each app. So, even if a government manages to bend a vendor’s will, at least honest end-users can be warned as well.