Meta is testing E2EE for Quest’s VR Messenger App

Meta has been on a multiyear stimulus with Messenger’s end-to-end encryption E2EE features, and it’s now beginning to test E2EE messaging with its Quest VR quest headsets.

With the new v40 software update, Meta is pushing optional E2EE for one-on-one messages and calls in VR, though it’s unclear how many people are incorporated in the test or how to turn on the feature if you are.

The test comes alongside many other notable new features in the v40 update. There are new audio accessibility possibilities, including tweaking the left audio balance and proper audio channels and a mono audio feature that allows you to hear the same audio on the left and right speakers.

You’ll also be able to lock individual apps behind a pattern, which could be a valuable way to prevent access to apps you don’t want a child to play with. Previously, you could only lock the entire headset behind a pattern.

In addition, you’ll now be able to see visual representations of more physical keyboards in VR as long as they’re connected via Bluetooth. This feature first supported the Logitech K830 and Apple’s Magic Keyboard using a Quest 2 headset. With v40, you’ll see representations of the Apple Magic Keyboard with numeric keypad, the Logitech K375s, and Logitech MX Keys.

What is E2EE?

E2EE End-to-end encryption is a safe communication method that prevents third parties from accessing data while it’s shared from one end system or gadget to another.

The data is encrypted on the sender’s design or device in E2EE, and only the planned recipient can decrypt it. As it tours to its destination, the message cannot be read or meddled by an internet service provider (ISP), hacker, application service provider, or any other entity or service.

Many famous messaging service providers employ end-to-end encryption, including WhatsApp, Facebook, and Zoom. However, these providers have faced controversy around the judgment to adopt E2EE. The technology makes it more challenging for providers to share user information from their services with authorities. In addition, it potentially delivers private messaging to people involved in illicit actions.

How does end-to-end encryption work?

The cryptographic keys employed to encrypt and decrypt the messages are held on the endpoints. This approach uses public key encryption.

A public key or asymmetric encryption utilizes a public key that can be shared with others and a private key. Once transferred, others can employ the public key to encrypt a message and send it to the public key owner. The notification can be decrypted only using the complementary private key, called the decryption key.

There is almost consistently an intermediary handing off messages between two partakers involved in an exchange in online communications. That intermediary is generally a server belonging to an ISP, a telecommunications company, or other organizations. The public critical infrastructure E2EE uses to ensure the intermediaries cannot eavesdrop on the messages being sent.

The method for securing a public key is the legitimate key created by the intended recipient to embed the public key in a certification that has been digitally marked by a recognized certificate authority (CA). Because the CA’s public key is widely circulated and known, its integrity can be counted on; a certificate marked by that public key can be presumed authentic. In addition, since the certificate associates the recipient’s name and public key, the CA would presumably not sign a certification that associated a separate public key with the same name.

How does E2EE disagree with other types of encryption?

What drives end-to-end encryption unique compared to other encryption systems is that only the endpoints — the sender and the receiver — can decrypt and read the message. Symmetric key encryption, also known as single-key or secret key encryption, also provides an unbroken layer of encryption from sender to recipient. Still, it employs only one key to encrypt messages.

The key employed in single-key encryption can be a password, code, or series of haphazardly generated numbers and is dispatched to the message recipient, allowing them to unencrypt the message. It may be complex and create the message look like nonsense to intermediaries passing it from sender to receiver. However, the message can be blocked, decrypted, and read, no matter how drastically the one fundamental changes it if an intermediate gets ahold of the key. E2EE, with its two keys, supports intermediaries from accessing the key and decrypting the message.

Another standard encryption approach is encryption in transit. Messages are encrypted by the sender, decrypted deliberately at an intermediary point — a third-party server acknowledged by the messaging service provider — and then re-encrypted and sent to the recipient. The message is unreadable in transit and may utilize two-key encryption. Still, it is not using end-to-end encryption because the message has been decrypted before getting its final recipient.

Encryption in transit, like E2EE, holds messages from being intercepted on their journey, but it does make potential vulnerabilities at that core where they are decrypted.

How is end-to-end encryption used?

End-to-end encryption is used when necessary for data security, including finance, healthcare, and communications industries. In addition, it is often used to assist companies in complying with data privacy and security rules and laws.

For illustration, an electronic point-of-sale (POS) system provider would include E2EE in its offering to safeguard sensitive information, like customer credit card data. E2EE would also allow a retailer to comply with the Payment Card Industry Data Security Standard (PCI DSS), which demands that magnetic stripe data, card numbers, and security codes are not held on client devices.

What does end-to-end encryption defend against?

E2EE safeguards against the following two threats:

  • Prying eyes: E2EE holds anyone other than the sender and planned recipient from reading message details in transit as only the recipient and sender have the legends to decrypt the message. So although the message may be perceptible to an intermediary server that supports moving the message, it won’t be legible.
  • Tampering: E2EE also defends against tampering with encrypted messages. There is no way to alter a message encrypted this way predictably, so any attempts at changing it would be blatant.

What doesn’t end-to-end encryption protect against?

Although the E2EE key exchange is deemed unbreakable using known algorithms and current computing power, there are several recognized potential weaknesses of the encryption scheme, including the ensuing three:

  • Metadata: While E2EE shields the information inside a message, it does not cover information about the message. Like the date and time, it was sent or the participants in the exchange. This metadata could give malicious actors an interest in the encrypted information and hints as to where they may be competent to intercept the data once it has been unencrypted.
  • Compromised endpoints: An attacker may be able to notice a message before it is encrypted or after it is decrypted if either endpoint has been compromised. Nitpickers could also retrieve keys from compromised endpoints and conduct a man-in-the-middle attack with a misappropriated public key.
  • Vulnerable intermediaries: Sometimes, providers assert to offer end-to-end encryption when what they offer is closer to encryption in transit. The data may be held on an intermediary server where it can be accessed.