[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Signal Secure Messenger

Product
Developers: Open Whisper Systems
Date of the premiere of the system: 2016/09/01
Last Release Date: 2020/12/16
Branches: Internet services
Technology: Information Security - Encryption Tools

Content

The main articles are:

An open source application for encrypted voice and encrypted instant messaging for iOS and Android users.

Signal messenger

2023: A hole in the messenger allows you to view attachments in the correspondence of other users

At the end of January 2023, John Jackson, a specialist in information security, published a study on two vulnerabilities he discovered in the Signal messenger desktop client. They were designated CVE-2023-24069 and CVE-2023-24068.

According to the expert, attackers can use these vulnerabilities for espionage. Since Signal desktop applications for all operating systems share a common code base, both vulnerabilities are present not only in the Windows client, but also in the MacOS and Linux clients. All versions are vulnerable up to the latest version on January 27, 2023 (6.2.0).

The first vulnerability, CVE-2023-24069, lies in an ill-conceived mechanism for processing files sent via Signal. When a user sends a file to a Signal chat, the desktop client saves it in the local directory. When a file is deleted, it disappears from the directory unless someone responds to it or forwards it to another chat. Moreover, despite the fact that Signal is positioned as a secure messenger and all messages are encrypted through it, files are stored in an unprotected form.

Two vulnerabilities were discovered in the Signal messenger, allowing anyone to view attachments in correspondence

The second vulnerability, CVE-2023-24068, was discovered by closer examination of the client from Signal. It turned out that the program does not have a file verification mechanism. In theory, this allows an attacker to replace them. That is, if the forwarded file opens on the client's desktop, someone can replace it in the local folder with a fake one. Thus, in further transmissions, the user will distribute the spoofed file instead of the one he intended to forward.

The potential risks for January 2023 associated with CVE-2023-24069 are more or less understandable. If a user of the desktop version of Signal leaves their computer unlocked and unattended, someone can access files sent through Signal. The same can happen if full disk encryption is enabled on the PC, and the owner tends to leave it somewhere unattended.

According to Kaspersky Lab, Signal developers disagree with the importance of these vulnerabilities and declare that their product should not and cannot protect against attackers with this level of access to the victim's system. Therefore, the best advice will not be to use the desktop version of Signal.[1]

2022

Thousands of data leaked to 1,900 users

On August 15, 2022, the Signal messenger, which is considered the most secure, reported a leak of phone numbers and SMS verification codes of about 1900 users in connection with the hacking of Twilio.

The leak resulted in a phishing attack on the Twilio number verification database. Hackers seized the data of 125 customers of the company, including Signal.

Thousands of data of users of the corporate messenger Signal were leaked

Message histories, contact lists and user profile information remain private, Signal reports. Nevertheless, an attacker can re-register 1.9 thousand users' numbers to third-party devices and correspond on behalf of the account owner. The administration of the messenger sent a warning to those who suffered from the attack.

File:Aquote1.png
It should be noted that as a result, the attacker did not gain access to the message log, profile information or contacts, the Signal support page says. Records of previously sent messages are stored only on users' devices. Signal does not store copies of this data. Contacts, profile information, locked users, etc. can only be recovered using a Signal PIN that was not (and could not be) accessed in this incident. However, if the attacker managed to re-register the account, he will be able to send and receive Signal messages from this phone number.
File:Aquote2.png

For all affected users, the company said it would remove Signal's registration on all devices the user previously used - or on which it was registered by an attacker - and require users to re-register Signal with their phone number on their preferred device. Signal also recommends that users enable registration blocking, a feature that will prevent users from re-registering an account on another device without a user's security PIN.[2]

Swiss army bans military from using foreign messengers

The Armed Switzerland Forces banned service members from using, and messengers Telegram WhatsApp Signal for security reasons. information security This became known on January 7, 2022. More. here

2021: Comparison of functionality with other messengers

Comparison of messenger functionality for January 2021

2020

Hacking by Israeli hackers

On December 16, 2020, it became known the Israeli that the company, a Cellebrite spy developer, ON said that it had managed to hack messenger Signal. According to to data the TechRadar portal and the developer, antivirus AVG Signal is the most secure messenger in the world. Cellebrite specialists were able to bypass Signal protection using their own Physical Analyzer software tool for systematization and processing information obtained from. smartphone

Signal is based on the proprietary open source Signal Protocol text and content encryption system. This system is also used by Facebook and Microsoft in their messengers, but in them it encrypts only text messages, and not transmitted files.

Cellebrite published a detailed report on the Signal hacking process directly on its official website. According to the company, database the messenger is stored in encrypted form using SqlScipher. SqlScipher is SQLite an open source extension that provides transparent 256-bit AES encryption of database files. To read the database to hackers , a special key was needed, which, as it turned out, can be extracted from a file with general settings and decrypted using a key called "AndroidSecretKey," which is saved by "Keystore" - a special function. OS Android

File:Aquote1.png
After receiving the decrypted key, we needed to know how to decrypt the database. To do this, we used Signal open source and searched for any database access. Having studied dozens of classes of code, we finally found what we were looking for, the hackers said.
File:Aquote2.png

They then ran SqlCipher in a database with a decrypted key and values ​ ​ of 4096 and 1 for page size and kdf iterations, which allowed them to decrypt the database and find text messages in the "signal.db.decrypted" file in a table called "sms." All files sent and received were found in the "app_parts" folder, but they were additionally encrypted.

Cellebrite specialists found that Signal uses the AES algorithm in CTR mode to encrypt attachments, after which they only have to decrypt. They did not have to additionally compare the found files with chats - this was done at the stage of analyzing messages, and as a result they received fully readable chats, now available in the same form as the participants in the conversation see them.

According to Cellebrite, the company intends to cooperate with law enforcement agencies in various countries to hack Signal on the devices they need "legally[3].

The rise of downloads during the riots in the United States

In May 2020, amid protests in the United States, demand for the secure Signal messenger increased. It has been downloaded 121,000 times since 25 May, followed by a record 37,000 on Sunday 31 May. In the App Store app ranking, the messenger has risen from 936 to 126th in popularity during this time.

Signal may stop working in the United States if a bill to abandon end-to-end encryption is passed

On April 11, 2020, it became known that the developers of the secure Signal messenger intend to stop the program in the United States if the country's authorities pass the Eliminating Abusive and Rampant Negative of Interactive Technologies (EARN IT) bill, which involves a complete rejection of end-to-end encryption.

Signal

The EARN IT document is an amendment to Section 230 of the US Communications Ethics Act. This section provides IT companies with legal protection against any content posted by users on their platform.

According to the authors of the bill, large companies, including Google and Facebook, began to abuse such protection and stopped making efforts to combat illegal content. EARN IT can deprive all companies of their immunity from prosecution under the current law.

Edward Snowden, who recommended the use of Signal, spoke out against EARN IT. According to him, the bill contradicts the ideas of freedom of speech.

However, even the "world's most secure messenger" is not able to completely protect users from cyber threats. Reportedly, in 2019, a logical error was discovered in the Android version of Signal, which allowed spying on users. Criminals could initiate a call and answer it without the user's consent. Thus, attackers could turn on the microphone on the device and listen to the conversations around[4].

2019: Vulnerability to turn on a microphone on a device

On October 5, 2019, it became known that a logical error was detected in the Android version of the secure Signal messenger that allows you to spy on users. The vulnerability lies in the fact that criminals can initiate a call and automatically answer it without the user's consent. In other words, with the help of a bug, you can turn on the microphone on the device and listen to conversations around you.

Signal

The problem is similar to a bug discovered in early 2019 in the Apple FaceTime feature in iOS, which also allowed you to hear the sound and see video from the interlocutor's device before he answers the call.

A vulnerability in Signal discovered by Google Project Zero team specialist Natalie Silvanovich is related to the handleCallConnected method responsible for the final call connection.

File:Aquote1.png
In a normal situation, a handleCallConnected call occurs in two cases: when the called device receives a call when the user selects "accept" or when the calling device receives a "connect" message if the called device receives a call. With a modified client, it is possible to send a "connect" message to the called device during a call, but before the user accepts it. Thus, the call will be accepted even without the participation of the user,
writes Silvanovich
File:Aquote2.png

As noted, the vulnerability works only with audio calls, this method is not suitable for video calls, since in the Signal application users need to manually turn on the camera.

Despite the fact that there is a similar problem in the iOS version of the messenger, only users of the Android version are at risk, since a call fails in the iOS client due to an error in the user interface.

The developers of the application were informed about the problem and fixed it a few hours after the researcher's message[5].

2018

Vulnerability to third-party channel attacks

According to a report dated December 13, 2018, researchers from Cisco Talos reported vulnerabilities in popular instant messengers using encryption. According to experts, WhatsApp, Telegram and Signal can be hacked using attacks through third-party channels. Read more here.

In the list of 20 most secure instant messengers according to Artezio

The analytical department of Artezio (part of the LANIT group of companies) on November 26, 2018 published a list of 20 messengers capable of providing a high level of privacy. The rating was compiled based on the results of comprehensive testing of programs, while the quality of data encryption and the reliability of information protection tools were the key criteria in the formation of the final expert assessment, representatives of Artezio told TAdviser. The top 8 programs with a high level of privacy were headed by the Signal messenger. Read more here.

Error transitioning to Signal Desktop

On October 24, 2018, it became known that the update of the secure Signal messenger could have rather unpleasant consequences for its users.

The Signal messenger is promoted as a secure means of communication that uses end-to-end encryption, which in theory should exclude unauthorized access to the contents of the correspondence. However, as it turned out, there are situations when all Signal encryption is useless.

Signal is distributed as an extension to the Google Chrome browser, and as a standalone program (Signal Desktop). From the browser version, you can "upgrade" to the desktop version, but in the process Signal uploads all the correspondence to the user's device disk in unencrypted form, and along with all the attachments. The application then automatically re-imports all these dialogs, but in a certain period, everything that should be encrypted lies on the disk in plaintext.

When you export dialogs to disk, Signal generates separate folders, each named by the contact's name and phone number. Thus, confidential data is already being leaked.

All dialog content is stored in JSON format. And even after importing data into Signal, everything that is "dumped" on disk remains there, and users have to manually delete these files and folders. The program does not display any warnings that the information is decrypted and uploaded to disk. Information about the "bug" to the Signal developers.

Signal was originally released as an application for mobile devices. The Chrome extension was an "intermediate option" for adapting the messenger to desktop computers - macOS, Linux, Windows, etc. For a year now, a separate version of Signal Desktop has appeared, not tied to Chrome. Moreover, the extension to Chrome will soon cease to be available - its development has been discontinued, and support will soon cease.

File:Aquote1.png
author '= Oleg Galushkin, Director of Information Security at SEC Consult Services '
For Signal's target audience, such programmer errors can be costly, especially if the computer is compromised and the "exported" data is not deleted. After this, many questions arise about how safe it is to use this messenger.
File:Aquote2.png

Apparently, this is far from the only problem with Signal. For example, another expert, Keith McCammon, director of information security at Red Canary, points out that Signal Desktop does a poor job of deleting attachments to "disappearing" messages (that is, those that are destroyed after a user-defined period of time). This function was positioned by the developers as an additional security layer, but it works very unreliably. According to McCammon, all attachments remain on Signal users' disk even after[6] should have disappeared[7].

Notes