WhatsApp’s end-to-end encryption useless, says Telegram CEO
Telegram's founder Pavel Durov has no love lost for WhatsApp, this we already know. After stating that Amazon CEO's Jeff Bezos' data would have been safe with Telegram, Durov has explained why WhatsApp's much-advertised end-to-end encryption is useless.
In a blog post titled 'Why Using WhatsApp is Dangerous', Durov wrote that backdoor bugs leave any and all data on smartphones exposed and accessible to hackers. And these backdoor bugs is what renders end-to-end encryption useless.
Durov seems to be pretty certain that these bugs were used to extract data from Bezos' iPhone.
"WhatsApp's 'corrupt video' vulnerability was present not only on iOS, but also on Android and even Windows Phone devices. Meaning, on all mobile devices with WhatsApp installed," Durov writes.
Bezos' iPhone was hacked after he downloaded a video file he received on WhatsApp from the Crown Prince of Saudi Arabia.
"A few months ago I wrote about a WhatsApp backdoor that allowed hackers to access all data on any phone running WhatsApp," wrote Durov. He added that Facebook, at that point in time, had claimed that "they had no proof the flaw had ever been used by attackers".
"Since the attack seemed to originate from a foreign government, it is likely that countless other business and government leaders have been targeted," Durov wrote adding that "the United Nations now recommends its officials remove WhatsApp from their devices, while people close to Donald Trump have been advised to change their phones".
However, instead of apologising and accepting blame, Facebook and Apple have been passing the buck to each other. "They announced that Apple, not WhatsApp, was to blame. Facebook's vice president claimed that iOS, rather than WhatsApp, had been hacked," Durov added.
Durov claimed in his blog that Telegram's end-to-end encryption was added years before WhatsApp's and is far more secure. He listed three examples to corroborate his claim:
"First, there are backups. Users don't want to lose their chats when they change devices, so they back up the chats in services like iCloud - often without realizing their backups are not encrypted. The fact that Apple was forced by the FBI to abandon encryption plans for iCloud is telling. That's one of the reasons why Telegram never relies on third-party cloud backups, and Secret Chats are never backed up anywhere," the blog reads.
"Second, there are backdoors. Enforcement agencies are not too happy with encryption, forcing app developers to secretly plant vulnerabilities in their apps. I know that because we've been approached by some of them - and refused to cooperate. As a result, Telegram is banned in some countries where WhatsApp has no issues with authorities, most suspiciously in Russia and Iran," Durov writes.
"Backdoors are usually camouflaged as 'accidental' security flaws. In the last year alone, 12 such flaws have been found in WhatsApp. Seven of them were critical," Durov explained. He added that while WhatsApp could still claim to be secure despite these flaws, seven critical security flaws in a year is not good statistics. On the other hand, Durov added, Telegram has had no issues of severity in six years.
For the third point, Durov writes that there are flaws in encryption implementation - "How can anybody be sure that the encryption WhatsApp claims to use is the one actually implemented in their apps? Their source code is hidden and the apps' binaries are obfuscated, making them hard to analyze".
Telegram apps are open source and their encryption has been fully documented since 2013, writes Durov adding that "anyone can make sure the source code on GitHub and the Telegram app you download are the same thing" both for Android and iOS. "No other messaging app is doing that for both mobile operating systems, and one might just start wondering why," he pointed out.
Durov defended his apathy for WhatsApp by saying that while he was personally inclined to support the messaging app, his statements are "based on facts and not personal preference".
"And, just like the code of the Telegram apps, these facts are verifiable and further supported by the third-party sources below. When it comes to security, nobody should take anybody's word for granted," Durov concluded.