How an attacker can downgrade Whatsapp encryption

Contents

By sending ongoing requests to the Whatsapp server, attackers can temporarily lower the encryption for a specific victim by one level – or make it unreachable for everyone (denial of service). The information gathered about the target person along the way is probably more valuable. Austrian security researchers Gabriel Gegenhuber and Maximilian Günther from the University of Vienna presented their findings at the DEFCON 2025 IT security trade fair on Sunday (local time).

The focus was on a security feature called Perfect Forward Secrecy (PFS). This involves – generating a separate key pair for each message in addition to the longer valid key pairs of the conversation partners –. This is intended to prevent other messages from being decrypted with a discovered key. However, this means that one-time keys must be negotiated on an ongoing basis.

In asynchronous communication, as is typical for Whatsapp and Signal, the participants are not necessarily online at the same time; in such a case, the direct negotiation of a key pair fails. The Signal protocol, a variant of which is also the basis of Whatsapp, solves this problem by uploading one-time keys to the server in advance. There they can be retrieved by third parties at any time. Messages are then encrypted end-to-end three times: with the static identity key pair, the signed pre-key pair, which is exchanged approximately every month, and the PFS key pair. Only someone who cracks all three keys can decrypt an intercepted message.

The attack method

The attack demonstrated by the Austrians makes it impossible to use the one-time keys for all Whatsapp messages in a session from the first message up to and including the first reply. These messages then lack the PFS, but the participants in a Whatsapp conversation receive no indication of this. The attacker “only” has to crack the other two keys. The reduction in the security level is therefore moderate.

The theoretical possibility is already mentioned in the notes on the Signal protocol and was demonstrated in practice for the first time by the Austrians. But that is not the end of the story.

The method is surprisingly simple: the attacker uses an alternative WhatsApp client and needs to know the phone number of the target account. He then repeatedly requests new PFS keys from the server. If the end device of the target account does not send new keys quickly enough, which appears to be particularly difficult for iPhones and Macs, the supply is soon exhausted. WhatsApp apparently has no built-in rate limiting for such key orders. In the tests conducted by researchers at the University of Vienna and SBA Researchs, it only took 40 seconds to two minutes despite waiting for each individual server response. With parallel queries from several end devices, it even took ten seconds.

In addition, the initialization values of the three retrievable key types differ depending on the operating system of the target client. This may help when selecting malware for a targeted attack via a different channel.

The data protection problem

An astonishing amount can be deduced from the way in which new one-time keys appear on the server. The simplest variant: no new keys appear. In this case, the respective end device is most likely offline.

Repeated key exhaustion allows an attacker to make long-term, secret observations. For example, if a particular desktop device or browser instance is regularly online during office hours, it may be possible to deduce the location of the target. Conversely, new keys from a desktop computer that is usually only used in the evening or on the weekend can be used to deduce the whereabouts of the WhatsApp user being monitored at home.

If new keys appear, the speed at which they are “reloaded” can be used to deduce the end device model (fingerprinting). In the researchers' tests, for example, a Samsung Galaxy A54 with a switched-on screen and LTE data connection only managed to exhaust the key in four percent of requests. With iPhones, on the other hand, this was almost always the case (iPhone SE 93%, iPhone 8 88%, iPhone 11 80%). Standby or Wi-Fi connection tend to slow down recharging even further.

A Poco X3 via LTE mobile network with an active screen managed the key upload quickly, so that only 17% of the requests resulted in exhaustion. In standby mode via WLAN, on the other hand, the attackers were successful 76 percent of the time. (In this respect, the PFS exhaustion attack is similar to the attack also presented by the two Austrians at DEFCON 2025 using secret delivery confirmations on Whatsapp and Signal, where device fingerprinting is also possible).