Unnecessary Evil: Multi-Device Instant Messaging can be private
TL;DR: Contrary to Meta’s WhatsApp claims, it is possible to have an Instant Messaging service with End-to-End Encryption (E2EE) in the Multi-device setting without compromising users’ privacy.
A few days ago (January 17th 2014) we had published our findings on a privacy issue that leaks Meta’s WhatsApp users’ devices identity to any other user.
Our findings were covered by TechCrunch and while other security and privacy experts had agreed that this is indeed an issue, Meta’s response tried tp downplay it as “necessary ”, avoiding even admitting it is at least a necessary evil.
Meta’s spokesperson Zade Alsawah told TechCrunch that the company received Be’ery’s research and concluded that the app’s current design “is what users want and expect.”
“It used to be the case that your phone had to be online to receive messages and that provided significant limitations for people. With multi device users can send and receive their personal messages across devices privately with end-to-end encryption — and that’s the direction we’ll continue to take,” Alsawah said in a statement.
Therefore, if in the previous blog we showed that WhatsApp’s privacy issue is evil, then in this blog we will show it is unnecessary.
Revisiting WhatsApp’s design issue
As explained in the original blog, the core reason for this issue was WhatsApp design choice of implementing multi-device E2EE with client fanout:
- Each user’s device generates a key, named “Identity Key” which is used to encrypt future communications with it.
- The sender is responsible to send its message to all of the recipient’s devices. As a result, senders and even potential senders (as this information needs to be ready before senders can send) must be aware of all recipients’ devices and keys and can monitor changes to this setup.
Solution 1: Lockdown mode
This optional Lockdown mode will enable users to limit messages’ reception to ones sent by their contacts only. Consequently, only the users’ contacts will need and be able to view their device information.
While it does not fully prevent the privacy issue it presents a dramatic improvement compared to the current situation in which any user, including blocked users, can view that information.
This Lockdown mode will be very helpful to security and privacy aware users across the board, as it would prevent them from receiving all kind of malicious messages from non-contacts: including 0-days exploits, social engineering and phishing or even just spammy messages .
My prediction: This lockdown mode is such a no-brainer that it would be implemented by WhatsApp, this year (2024)
Solution 2: Using server fan-out
To completely solve this issue a design change must be done, and the burden of distributing the messages needs to be switched from senders to WhatsApp server.
As a result, the senders are only aware to a single recipient key, regardless of the number of the recipient’s devices and are not aware of all recipients’ devices and keys and cannot monitor changes to this setup.
Luckily, such work already exists! (Thank you Dr. Eyal Ronen for pointing that out). This 2019 paper named “Multi-Device for Signal” considers the multi-device scenario for the Signal protocol, which is used by WhatsApp (and others) and explicitly addresses and solves its privacy issues
Concluding thoughts
I firmly believe that security issues need to be reported and acknowledged by vendors, regardless of solution’s existence. When security researchers responsibly disclose a valid security issue, they should be rewarded for their efforts and not asked to provide solutions.
In this case the issue is both valid and solvable. Therefore, I expect Meta and WhatsApp to do the right thing: fix their initial wrong statement, acknowledge the issue is valid and treat the researcher who found it according to their policy.
