Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Signal messenger users have been hacked. We look at what happened and why this attack serves as a demonstration of Signal's reliability.
On August 15, the Signal team reported an attack on messenger users organized by unknown hackers. We explain why this attack demonstrates the advantages of Signal over some other messengers.
As a result of the attack, hackers were able to log into the victim's account from another device, or simply find out that a user with a certain phone number uses Signal. Of these 1,900 numbers, the attackers were interested in three specific phones - and as a result, Signal received a notification from one of the three users that their account had been activated on another device without their knowledge.
Let's start with the fact that an account in Signal, like, for example, in WhatsApp and Telegram, is linked to a phone number. This is a common, but not universally accepted practice: for example, the secure messenger Threema mentions among its advantages precisely the fact that it is not linked to a phone. The phone is needed to authenticate the user: the user enters a phone number - and then an SMS with a code is sent to this number. The code must be entered: if it is entered correctly, this means that the user really owns this phone number.
Directly sending out such SMS with one-time codes is done by specialized providers that service many services at once with the same authentication method. In the case of Signal, this is the company Twilio — it was the one that the hackers chose as their target.
Then phishing came into play: Twilio employees received a message that their passwords were supposedly out of date and needed to be updated. They were asked to do so via a link — as you might guess, a phishing one. One of the employees fell for this trick, went to a fake page, and in the process of “changing the password,” entered their current password along with their login, which is how they ended up in the hands of hackers.
These credentials allowed them to access Twilio’s internal systems, including the ability to send and read text messages to users. The hackers used the service to install Signal on a new device: they entered the victim’s phone number, intercepted the SMS with the activation code, and — voila — logged into their Signal account.
First of all, the problem is that the attackers did not gain access to the correspondence. Signal uses end-to-end encryption with a reliable protocol called Signal Protocol. Due to the use of end-to-end encryption, the correspondence of users is stored only on their devices, and not on Signal servers or anywhere else. Therefore, there is simply no way to read it by hacking Signal infrastructure.
However, Signal servers contain information about users' phone numbers and the numbers of their contacts. This allows the messenger to notify you that one of your contacts has joined Signal. But here it should be clarified that the data is stored, firstly, in special secure storages (secure enclaves), which even the Signal developers themselves do not have access to. And secondly, the numbers themselves are not contained there in text form, but instead have hash sums that can be used to identify the contact, but cannot be used to restore the phone number. This mechanism allows the Signal application on your phone to send encrypted information about contacts and receive an encrypted response - which of your contacts uses Signal. That is, the attackers were also unable to gain access to the contact lists of hacked users.
Finally, it is important to highlight that Signal was attacked through a supply chain attack — a less secure service provider used by the company. This makes it a vulnerable link in the service. However, Signal actually has safeguards in place to deal with this.
Signal has a “Registration Lock” feature (you can find it in Settings → Account → Registration Lock), which requires you to enter a user-defined PIN code when trying to activate Signal on a new device. Just to be clear: the PIN in Signal has nothing to do with unlocking the messenger — the smartphone’s standard authentication is usually used for that.
To fully protect yourself from the attack described in this post, simply enable the “Registration Blocking” feature in Signal settings.
By default, the Registration Lock feature is disabled, which was the case for at least one of the hacked accounts. That's how the hackers were able to pull off the attack, allowing them to pretend to be a victim for about 13 hours. If Registration Lock had been enabled, the hackers wouldn't have been able to log into the app at all , knowing only a phone number and a confirmation code.
And although the attack was technically successful, you shouldn’t be scared and give up on Signal. It’s still a secure messenger that gives you confidence in the privacy of your correspondence — which is exactly what the hacking story demonstrates. But you can make it even more secure, and also take extra care of your security:
Source
On August 15, the Signal team reported an attack on messenger users organized by unknown hackers. We explain why this attack demonstrates the advantages of Signal over some other messengers.
What's happened?
According to the creators of Signal, the attack affected about 1,900 users of the messenger. In total, Signal has an audience of more than 40 million active monthly users - it turns out that the incident affected only a very small part of them. On the other hand, Signal is usually used by those who are really concerned about the privacy of correspondence. So even though the attack affected only a tiny fraction of the audience, it is still a big and important event in the world of information security.As a result of the attack, hackers were able to log into the victim's account from another device, or simply find out that a user with a certain phone number uses Signal. Of these 1,900 numbers, the attackers were interested in three specific phones - and as a result, Signal received a notification from one of the three users that their account had been activated on another device without their knowledge.
How did this happen?
On the pages of Kaspersky Daily, we have repeatedly said that Signal is a secure messenger. And now it is being successfully attacked. Is the story about security and privacy really a myth? Let's figure out what exactly the attack consisted of and what role Signal played in it.Let's start with the fact that an account in Signal, like, for example, in WhatsApp and Telegram, is linked to a phone number. This is a common, but not universally accepted practice: for example, the secure messenger Threema mentions among its advantages precisely the fact that it is not linked to a phone. The phone is needed to authenticate the user: the user enters a phone number - and then an SMS with a code is sent to this number. The code must be entered: if it is entered correctly, this means that the user really owns this phone number.
Directly sending out such SMS with one-time codes is done by specialized providers that service many services at once with the same authentication method. In the case of Signal, this is the company Twilio — it was the one that the hackers chose as their target.
Then phishing came into play: Twilio employees received a message that their passwords were supposedly out of date and needed to be updated. They were asked to do so via a link — as you might guess, a phishing one. One of the employees fell for this trick, went to a fake page, and in the process of “changing the password,” entered their current password along with their login, which is how they ended up in the hands of hackers.
These credentials allowed them to access Twilio’s internal systems, including the ability to send and read text messages to users. The hackers used the service to install Signal on a new device: they entered the victim’s phone number, intercepted the SMS with the activation code, and — voila — logged into their Signal account.
How this incident proves Signal's reliability
Well, it turns out that Signal can have these incidents too. So why do we keep saying it's secure and private?First of all, the problem is that the attackers did not gain access to the correspondence. Signal uses end-to-end encryption with a reliable protocol called Signal Protocol. Due to the use of end-to-end encryption, the correspondence of users is stored only on their devices, and not on Signal servers or anywhere else. Therefore, there is simply no way to read it by hacking Signal infrastructure.
However, Signal servers contain information about users' phone numbers and the numbers of their contacts. This allows the messenger to notify you that one of your contacts has joined Signal. But here it should be clarified that the data is stored, firstly, in special secure storages (secure enclaves), which even the Signal developers themselves do not have access to. And secondly, the numbers themselves are not contained there in text form, but instead have hash sums that can be used to identify the contact, but cannot be used to restore the phone number. This mechanism allows the Signal application on your phone to send encrypted information about contacts and receive an encrypted response - which of your contacts uses Signal. That is, the attackers were also unable to gain access to the contact lists of hacked users.
Finally, it is important to highlight that Signal was attacked through a supply chain attack — a less secure service provider used by the company. This makes it a vulnerable link in the service. However, Signal actually has safeguards in place to deal with this.
Signal has a “Registration Lock” feature (you can find it in Settings → Account → Registration Lock), which requires you to enter a user-defined PIN code when trying to activate Signal on a new device. Just to be clear: the PIN in Signal has nothing to do with unlocking the messenger — the smartphone’s standard authentication is usually used for that.
To fully protect yourself from the attack described in this post, simply enable the “Registration Blocking” feature in Signal settings.
By default, the Registration Lock feature is disabled, which was the case for at least one of the hacked accounts. That's how the hackers were able to pull off the attack, allowing them to pretend to be a victim for about 13 hours. If Registration Lock had been enabled, the hackers wouldn't have been able to log into the app at all , knowing only a phone number and a confirmation code.
What you can do to better protect your Signal communications
To summarize: the attackers did not hack Signal itself, but its partner Twilio, as a result of which they were able to log into 1,900 accounts – and used this opportunity to log into three of them. However, they did not gain access to any correspondence or contacts – and could only try to pretend to be the users whose accounts they were able to log into. If these users had the “Registration Lock” option enabled, the attackers would not have been able to do even this.And although the attack was technically successful, you shouldn’t be scared and give up on Signal. It’s still a secure messenger that gives you confidence in the privacy of your correspondence — which is exactly what the hacking story demonstrates. But you can make it even more secure, and also take extra care of your security:
- Turn on Registration Lock in Signal to prevent hackers from logging into your account without your PIN — even if they receive a one-time code to activate Signal on a new device.
- Read our post on setting up privacy and security in Signal and customize your messenger. Signal has both simple basic options and some really paranoid ones that provide extra security at the cost of some usability.
- And of course, use a security solution on the device itself. If malware gets onto your smartphone, no measures from Signal will help protect your correspondence and contact list. But if you don’t let the malware in or at least catch it in time, your correspondence will be safe.
Source
