How safe are voice calls on Viber, FaceTime and WhatsApp? How encryption works in the WhatsApp messenger and why it is important to check security codes. Is WhatsApp safe?
WhatsApp is a cross-platform application used by millions of users. Many subscribers are concerned about the security and protection of their personal data when working in the messenger. The developers pay attention to the fact that WhatsApp security is at a fairly high level.
Messenger security
The first thing you should pay attention to is the terms of service on WhatsApp. The developers have prescribed such points as the protection of personal data, the prohibition of insults and threats during correspondence.
The tools offered to ensure security are also important. For example, here you can set parameters that limit access to the user’s profile (his status, photo, time of last visit to the application).
Messenger subscribers are given the opportunity to change notification settings by turning off read notifications for messages sent to another contact.
Encryption
In WhatsApp, encryption allows you to ensure the confidentiality of correspondence. At the beginning of its history, developers used the XMPP channel. Messages were transmitted over an unsecured path and could be easily traced. In 2012, the developers tried to correct the situation. Then the correspondence became quite secure and they tried to hide it as much as possible from outsiders.
However, at the end of the same year, another vulnerability was found in the application. Through it, it was possible to hack the correspondence of any user and read it. The developers quickly dealt with the problem and released a new version of the messenger, in which protection was given special importance.
From time to time, bloggers' messages about WhatsApp vulnerabilities appear on the Internet. For example, one Dutch student noted that he could even read encrypted messages in the messenger. This is due to the encryption process itself, which uses the same phrase. But the security problem arises mainly when using public wireless access points to the network.
Despite such messages, the developers themselves state that the security of the application increases with every new version. The confidentiality of correspondence is also guaranteed by the fact that messages are stored on users’ devices and not on servers. Therefore, only senders and recipients have access to chat history.
Four tips to follow for anyone concerned about personal data leaks.
But before you start spreading your plans to overthrow global capitalism via WhatsApp, keep in mind that intercepting messages while they are in transit is just one way to spy on you, and a rather unlikely one. Encryption itself isn't much use unless you also follow the rules below.
You don't save messages on your phone
If you really want no one to read your messages except you, delete them immediately after reading them. If someone gets a hold of your phone (steals it, for example) and is able to unlock it—as the FBI most recently did with the San Bernardino shooter's iPhone—they will have access to everything stored in memory. Some instant messengers, for example, have a “self-destruct” function, when activated, messages are automatically deleted after a specified period of time. WhatsApp does not have such a feature yet. (On the other hand, in Telegram end-to-end encryption does not work by default; you need to enable it specifically.)
You are not saving messages to the cloud
WhatsApp does not save your conversations on its servers. But, for example, you can save backup copy messages on iCloud, cloud service. Once information reaches the cloud, it can be intercepted by the government.
Signal is an app popular among privacy advocates. It uses the same encryption technology as WhatsApp and does not back up to the cloud.
Way to go WhatsApp, but I"m not ready to give up Signal. I fear that many of my WhatsApp friends have enabled unencrypted cloud backups.
Christopher Soghoian (@csoghoian) April 5, 2016
Great job WhatsApp, but I'm not ready to give up Signal just yet. I suspect that many of my WhatsApp friends have cloud copy enabled.
Christopher Soghoian (@csoghoian)
And hopefully it goes without saying that taking a screenshot of messages you've deleted also puts you at risk if enabled backup photos or you will lose your phone.
Nobody's looking at your screen
If someone can see the screen of your phone with correspondence, then there is no point in encrypting it. Moreover, given the proliferation of phones with powerful cameras, the only way To completely protect yourself from this - move away from all possible lines of sight and exclude the presence of any reflective surfaces nearby, including glasses and, possibly, even the eyes themselves. So, perhaps, it is best to correspond in a room without windows, with your back against the wall.
The trend towards secure communications that began with text messages has also affected “voice”. In 2016, WhatsApp, Viber and ICQ announced the use of end-to-end encryption in voice calls. To provide secure calls, the Signal messenger was launched in 2014. Also two years ago, the presence of encryption in the FaceTime service was announced in.
One of the once popular solutions in this area, Skype, introduced voice protection back in the late 2000s, which upset Western intelligence agencies.
However, as the editor of MForum Analytics, an expert in the field of telecommunications, notes in a conversation with Gazeta.Ru, the transition of subscribers to IP telephony and video communication is caused primarily by ease of use and price. In fact, a client of a particular operator only needs to pay for an Internet traffic package, which is increasingly unlimited.
The speaker admits that privacy is important for a certain percentage of users, but certainly not for the majority. He expressed the same opinion in a conversation with Gazeta.Ru and CEO information and analytical agency TelecomDaily. In his opinion,
the number of subscribers switching to service solutions due to concerns about confidentiality does not exceed 10%.
In general, market experts agree that Internet services really provide more high level confidentiality of conversations than regular mobile communications.
Recall that the operators, according to Russian legislation, are required to install SORM-1 on their networks, allowing law enforcement agencies to gain access to any conversation. In 2014, the authorities became concerned about the data transmitted on the network, obliging providers to install the so-called SORM-3. Thanks to the system, the conversation, which is information in digital format, remains with the operator. However, due to coding, understanding this data packet, how and what exactly the user said, and at what moment he looked at pictures with cats, remains a difficult task for law enforcement officers.
“At the same time, one should not overestimate the security of international instant messengers; it is not 100%, and the intelligence services of various countries probably have the notorious “keys” to some services,” warns Boyko.
Annoying privacy
The founder of the Internet Protection Society, Leonid, told Gazeta.Ru that he had not encountered specific cases of wiretapping of voice calls in Skype, Viber or WhatsApp.
According to him, people who pay increased attention to privacy prefer FaceTime. But he found it difficult to answer what exactly caused this choice: taste preferences or truly powerful protection of the service itself.
Turkish President Recep Tayyip Erdogan on CNN via FaceTime
Volkov also said that theoretically, instant messengers with call support cannot be considered completely safe, but there is a long way to go from theoretical vulnerability to practical interceptions.
“First of all, because there are much simpler ways to obtain information: plant a Trojan that will record the “voice” on the device,” explains the IT specialist.
The publication’s interlocutor believes that this method is several times more effective and cheaper. An expert from ESET Russia also warned about installing malicious software on a user’s device in a conversation with Gazeta.Ru.
At the same time, in his opinion, data transmitted via the Internet is easier to intercept than in operator networks.
“There are many possible connection points: in local network, via public Wi-Fi, from providers, etc. This does not require expensive equipment—an ordinary computer or tablet with hacker software is enough,” the speaker noted.
But if strong encryption is used, then even after intercepting the traffic, the attacker will not be able to “listen” to it, continues Zheleznyakov.
The inability of intelligence agencies to reach the contents of calls organized using an Internet connection can be an irritation for the authorities. Kuskov called the lack of SORM in communication services a problem from the government’s point of view.
The analyst predicts that in the future there will be “fights” between legislators together with the owners of instant messengers to establish “cooperation.”
The speaker is not sure whether the adoption of the “Yarovaya package” can be considered an attempt to subordinate the secret services to Skype, Viber and WhatsApp, since it is still unclear how the law will work and what information is needed on it. The agency itself said last week that the document does not require mandatory certification of encryption tools on the Internet.
Volkov even called the “Yarovaya package” nonsense. “Even more traffic will be written and stored on it, and, therefore, it will be even more difficult to find anything valuable in it,” the expert added.
Difficult to predict future
The colossal growth in popularity of applications that support voice calls around the world is due, as in other cases, to innovative products, the development of gadgets and high-speed mobile internet(3G and LTE).
After the transition Russian operators In favor of the package model of providing their classic services, the savings from calls via Skype or Viber began to disappear. But thanks to the ubiquity of smartphones and Wi-Fi connections, it remains comfortable to use applications and the ability to make calls without unnecessary difficulties when traveling to other countries.
One of the latest trends in the market has been the active distribution of video content. The phenomenon has not spared the segment of Internet communication services. Thus, according to ICQ, almost 59% of calling users communicate via video conference.
Boyko and Kuskov believe that in Russia it is difficult to predict the future not only of “voice” services, but also of any other telecom products.
“We have too high a probability of political decisions that could affect this market,” predicts an MForum analyst.
But the speaker reassures: if force majeure does not arise, then there is no doubt about the further growth in popularity of various international messengers due to their global nature and ease of implementation.
In the coming year, the authorities may develop amendments to the Law “On Communications” that will regulate the activities of Internet services. In particular, the head of .
Telecom corporations may also be interested in preparing legal regulations that will affect the operation of voice calls on the network.
“Russian telecom operators have few levers that would allow them to retain voice and SMS subscribers. If they don’t use their lobby to get market regulators to directly ban the actions of competitors, then they have little chance,” Boyko said.
At the same time, companies have the opportunity to work in cooperation with services, receiving a share of revenue from them in exchange for network settings, the expert added.
Manipulations with channel capacity and data transfer speeds can, on the contrary, become an attempt at blackmail on the part of operators, Kuskov believes. But one company, according to the analyst, will not be able to change the situation, and if the operators collude, it will join in.
More than one billion people exchange messages with friends, family and colleagues using WhatsApp at least once a month. Problem: About 42 billion messages passing through WhatsApp servers every day could still be read by anyone with the appropriate resources and the necessary knowledge, including intelligence agencies and hackers. Now WhatsApp, thanks to the system-wide principle of end-to-end encryption, will make their life more difficult.
Many users, however, doubt that the Facebook-owned messenger will be able to deliver what it promises, which is to provide a secure connection that anyone can truly control. We've taken a closer look at the situation and will tell you how reliable WhatsApp really is.
Signal encryption protocol
Encryption check.To find out if your messages are encrypted, select “Account | Safety".
For encryption whatsapp messages uses the Signal protocol with open source code(previously the protocol was called Axolotl), in the development of which Moxie Marlinspike, a cybersecurity specialist, participated. Marlinspike, who has an excellent reputation in IT security circles, is the founder of the development organization software Open Whisper Systems, which, in particular, released the Signal crypto messenger.
From a technical point of view, the Signal protocol is an asymmetric encryption method using public keys. The key pairs required for encryption/decryption are generated on the smartphone when the WhatsApp client is installed. When a user logs into WhatsApp, public keys are stored on the messenger's servers. According to the technical documentation, WhatsApp servers do not have access to private keys, so they are stored locally on the smartphone. This means that the user does not have to enter the key or keep it in his head: the smartphone itself becomes the key. WhatsApp encrypts all content from plain text before the voice message. The same provision applies to calls using the service. Before exchanging the first messages, the clients of the interlocutors’ smartphones agree on a common root key and a serial key by exchanging public keys.
Then, based on the latter, its own short-term key is created for each message. Because all keys are constantly updated, as in Perfect Forward Secrecy, an attacker who knows the individual keys cannot decrypt future or previous messages.
Additional control. Information about whether the chat is encrypted is also in context menu chat, in the “View contact” item.
Since until recently there were no reports of vulnerabilities in the Signal protocol (the alleged hack of WhatsApp by antivirus developer John McAfee was subsequently presented as a PR stunt), this encryption can be considered reliable. However, this only applies as long as the connection is between two smartphones. The vulnerability does exist - this is the web client and the desktop client.
Since last year, WhatsApp can be used on a computer - via a browser. Clients for Windows and Mac OS X were also released in May 2016. Basically, these applications are a type remote control for smartphone applications that “mirror” the account with all its content on the computer. To do this, just scan the QR code using the smartphone application in the web or desktop client. Next, the computer creates a secure HTTPS connection with the smartphone, but not local, for example, through wireless network, but via the Internet.
Web client as a “weak link”
Encryption only with update. Messages are only encrypted if both parties have updated their apps to the latest version.
For end-to-end encryption this poses a big problem. If it is true that, as stated in the documentation for the WhatsApp messenger, the server does not have access to the user’s private keys, then the same condition applies to web or desktop clients that synchronize with the smartphone through the WhatsApp server. This would mean ending end-to-end encryption of messages between these clients and the smartphone app and replacing them with weaker transport encryption, which poses a vulnerability to so-called Man-in-the-Middle attacks.
In another possible scenario, in which the communication between the smartphone application and the remote client was end-to-end encrypted, the user's private keys would have to be transmitted over the Internet. Since they could be intercepted, this would mean a catastrophic crypto failure.
The WhatsApp developers are silent on this issue: web and desktop clients are not mentioned in the documentation, and a corresponding request from Chip was not answered. It doesn't matter which scenario is used for external clients: those who place great importance on end-to-end encryption should not interfere with the process.
Nothing is simpler
Full access. WhatsApp requests access to a lot of data, starting with Android 6 it is possible to restrict access rights.
As for the convenience of encryption, WhatsApp does everything right - it couldn’t be simpler. To enable end-to-end encryption, both participants (or, in the case of a group chat, all participants) must update the application to the latest version.
With WhatsApp releasing mandatory updates periodically, it's only a matter of time before end-to-end encryption becomes widespread. However, all variants of WhatsApp, regardless of operating system, support encryption. Anyone who wants to know whether their application uses encryption can check this in their account settings, in the “Encryption” item. You can find out whether the interlocutor uses encryption in the chat context menu, in the “View contact | Encryption".
There is an additional option to verify the other person’s public key by having both users scan a QR code from the other person’s smartphone display. To do this, you need to select a contact in the contact list, then click on the button with the image of three dots in the upper right corner of the screen, go to “View contact | Encryption" and follow the program instructions (see page 53).
Along with encrypting the actual content of messages, WhatsApp also encrypts metadata and information about the identities of the interlocutors and the duration of their communication. This data is transmitted, however, using transport encryption rather than end-to-end encryption, to “hide from unauthorized network observers,” as the documentation calls it. In simple terms, this means that WhatsApp, and likely also parent company Facebook, have access to this data.
The fact that the social network is not friendly with data protection is quite widely known. WhatsApp also doesn't seem to place much importance on informing users about what's happening with their data. In particular, the user agreement with WhatsApp on the official website is currently only available in English.
WhatsApp should also not confuse encryption with anonymity. Anyone who attaches great importance to this fact or does not want to give Facebook access to personal address book, you should turn to alternative crypto messengers.
Alternative crypto messengers
Most alternatives to the WhatsApp messenger are not yet so popular, but they often offer even more advanced features. Those who are distrustful may use alternatives to share important data, e.g. business correspondence. We present three such messengers:
Signal (formerly TextSecure)
It is a free and open source messenger for Android and iOS, developed by Open Whisper Systems. Along with encrypted text messages And telephone conversations You can also exchange unencrypted SMS and MMS. End-to-end encryption uses the Signal protocol, which is also used by WhatsApp. A beta version of the desktop client has been available since April 2016.
Free and ad-free messenger available for all major platforms. Along with the usual messaging function, it also has the ability to send end-to-end encrypted messages in so-called “secret chats”. Telegram was developed by the founder social network"VKontakte" by Pavel Durov. However, according to his own statement, the messenger is not associated with either the VKontakte website or Russia. The company's headquarters are located in Berlin.
Like Signal, it transmits all messages using end-to-end encryption. Along with texts, you can send images, videos, location, voice messages and attached files up to 20 MB in size. Threema's servers, as well as the company's main office, are located in Switzerland. The application is available for Android, iOS and Windows Mobile, its cost is 179 (Android) and 229 rubles (iOS). In addition, a version of the messenger (Threema Work) has been developed, adapted for enterprises.
Despite the popularity of the messenger and assurances from the developers that WhatsApp security and privacy are “built into” the DNA of the utility, and that not a single account is tapped, claims are still made against the program. Many of the application’s problems apply to other instant messengers, but in terms of security, the service is inferior to its competitors, according to experts. Is it so?
Start of service: reliability was out of the question
Stories about WhatsApp hacking began to appear almost every week since the appearance of the messenger. At the beginning of the application's history, an XMPP channel was used. Messages were transmitted over a weakly protected path. The encrypted application data was hacked with a simple script. Viruses were downloaded onto PCs via the web version, the entire chat history was opened for personal gain, etc.
In 2012, the developers solved the security problem in WhatsApp - correspondence became as hidden as possible from outsiders and wiretapping became more problematic.
According to company employees, When developing each new version, the issue of security is brought to the fore. Thus, its level increases noticeably. What is the situation now?
End-to-end encryption and new confidentiality agreement
End-to-end or end-to-end encryption is an innovation in the security and privacy policy of WhatsApp. Its essence lies in the fact that every time a message is sent, any size and content is encoded with a separate key, which only the sender and recipient have. This scheme excludes the simultaneous operation of WhatsApp on two or more devices, such as on a PC and a smartphone or on two phones.
The security code consists of 60 digits, so what is shown on the phone screen is just part of the chain. This strategy will secure communication between two or more people.
How does end-to-end encryption work? Device A requests a public key from the messenger server. A message is sent from A to B, pre-encoded with this key. User B's device decrypts the message upon receipt.
This innovation only works in the new version of the messenger. Thus, older versions of it must be updated to ensure that the data is as secure as possible and to ensure that the information is not eavesdropped. When updating, the program itself will ask you to accept the new confidentiality agreement.
During the installation of updates, you need to accept the agreement, but you still need to do this correctly.
At the end of summer 2016, Whatsapp updated its terms and privacy policy.
Accounts began to be linked to people's Facebook accounts. This means messages can now be analyzed for commercial purposes, such as improving the conversion of targeted Facebook ads. Can this be avoided? Fortunately, yes.
To make eavesdropping impossible, when accepting the agreement, you must click on the text with the privacy terms with the arrow on the right. Next, scroll to the end and uncheck the box. This lets you know that you do not allow your account information to be used to improve your experience with Facebook ads and products.
How do I confirm my security code?
This is an optional procedure, as encryption is automatically enabled when you update the application. However, let's look at how you can check this security code.
Go to the chat and click on the contact, thereby opening a menu with several items. Select the “Encryption” section.
A QR code and a long set of numbers in three rows will appear in front of you. You will be asked to confirm your security code. You can do this by clicking on “Scan Code” or manually. Point your phone camera at the code that appears on the screen of your interlocutor's phone. It doesn’t matter whether it’s Android or iOS. A green checkmark will appear indicating a successful scan. Otherwise, you can simply visually compare the codes.
What if the code doesn't match? It is possible that another person's code was scanned by mistake. The message recipient can also use old version program and for messages to be encrypted, he needs to update WhatsApp.
What additional things can be done to prevent your account from being tapped? Take into account the possibilities offered by the service: limit access to your profile (status, time of last visit to the application, photos, etc.). Messenger users can also turn off notifications that a message has been read.
With the new version of the utility, the developers have significantly increased the level of data security in user accounts. Of course, there are pitfalls here, in particular, the connection between WhatsApp and Facebook. However, with end-to-end encryption, it is now extremely difficult for third parties to eavesdrop on conversations.
