New WhatsApp Security Blow: Political Staffers Move To Signal; Here's Why That Matters
You have to admire the irony. Politicians and lawmakers around the world continue to rail against the use of end-to-end messaging encryption, with market-leading WhatsApp judged the main culprit in securing nefarious communications. But, even as that debate rages, the EU Commission has instructed its staffers to use Signal instead of WhatsApp (or anything else). It’s more secure, they have been told, for messaging the outside world. That would be the end-to-end encryption at work.
Get started on your cybersecurity degree at American Military University.
As reported by Politico, the move comes as a response to the various “high-profile incidents” that have “shocked diplomats and officials.” Staffers were given the instructions earlier this month. Signal is seen as a more secure option to WhatsApp—operated by a non-profit foundation, and is heralded alongside Wickr for its security first and above all else approach.
The EU is undergoing cybersecurity improvements after the long-term interception of diplomatic cables was exposed in late 2018. And politicians have been spooked by the trail of high-profile cyber risk that has seen compromises of both Android and iOS devices by nation-state exploits in the last year. Until recently, WhatsApp had become the default messaging tool for groups of politicians and staffers, but there has been a gradual shift to alternatives for more secure communications.
Underpinning Signal is an open-source platform judged more secure because its code is accessible by its community—you can’t hide vulnerabilities this way. WhatsApp’s security is based on Signal’s protocol, but its implementation is not open-source and so does not have the same level of transparency. Signal has until recently been seen as much more specialist than WhatsApp, but now has aspirations to go “mainstream,” as reported by Wired last week.
WhatsApp has done more to popularize end-to-end encryption than anyone else. The platform hit the staggering milestone of 2 billion users this month—that represents a sea-change for communications security. At the same time, WhatsApp has been hit by a number of security scandals—some based on hackers targeting endpoint vulnerabilities and others based on bugs in its code or social engineering. The security of WhatsApp’s data transport, though, has not been questioned.
Signal is more restrictive and so more secure at its endpoints, and that will make a difference here. Restrictions can be placed on messages received from non-contacts and messages can automatically be deleted after a set time. There are disadvantages though, backing up and restoring is more difficult, and (painfully) there is currently no way to transfer message history to a new phone on iOS.
Clearly, some of the issues besetting WhatsApp are a product of its scale. Reported nation-state attacks, the risk from crafted media files and a potential backdoor to lock out targeted individuals out are all examples of such endpoint hacks. For attackers, be they nation-state or criminal, the advantage of a WhatsApp hack is the ubiquity of the platform. Knowing a target has an app installed makes exploiting a vulnerability with that app exceptionally powerful.
And then there are basic user errors: A social engineering hack I reported on last month, where users were tricked into giving up their WhatsApp one-time passcodes; and the open-invite issue where WhatsApp groups could be accessed via links searchable on Google, as reported by my colleague Kate O’Flaherty.
On the surface, this is a story about the need for improved cyber defense among political staffers. But, beneath that surface, this goes to the heart of the reasons strong encryption is so critical. Also ironically, is the twist here that WhatsApp co-founder Brian Acton put $50 million into Signal after departing over strategic differences of opinion with Mark Zuckerberg. And it’s that money that is helping drive the platform’s shift to the mainstream to better compete with WhatsApp.
The encryption debate is set to intensify this year. It is clear that lawmakers are not willing to take the industry’s protests as enough of a reason to limit their ability to collect intel during investigations. And so to the final irony here: Signal’s ability to remain fully encrypted relies on Facebook winning its battle with the U.S. (and U.K. and Australian) authorities to prevent a requirement for backdoors to be added.