![]() What can be done to better protect messages? If Registration Lock had been enabled, they could not have logged in to the app knowing only the phone number and verification code. As such, the cybercriminals managed to pull off the attack by impersonating the victim of the attack for roughly 13 hours. Just in case, let’s clarify that the PIN in Signal has nothing to do with unlocking the app - this is done through the same means you use to unlock your smartphone.īy default, Registration Lock is disabled, as was the case for at least one of the hacked accounts. The app contains a feature called Registration Lock (to activate go to Settings → Account → Registration Lock), which requires a user-defined PIN to be entered when activating Signal on a new device. However, Signal has safeguards against this, too. ![]() Lastly, we should stress that Signal was attacked in the supply chain - through a less protected service provider used by the company. In other words, the attackers could not gain access to the user’s contact list either. This mechanism allows the Signal app on your phone to send encrypted information about contacts and receive a likewise encrypted reply as to which of your contacts uses Signal. And second, the numbers themselves aren’t stored there in plain text, but rather in the form of a hash code. However the data is stored, first, in special storages called secure enclaves, which even Signal developers can’t access. This allows the messenger to notify you when a contact of yours signs up for Signal. What is stored on Signal’s servers is users’ phone numbers as well as their contacts’ phone numbers. Therefore, there is simply no way to read them just by hacking Signal’s infrastructure. By using end-to-end encryption, user messages are stored only on their devices, not on Signal’s servers or anywhere else. Signal uses end-to-end encryption with the secure Signal Protocol. Why, then, do we keep talking about its security and privacy?įirst of all, the cybercriminals did not gain access to correspondence. So, it turns out that even Signal isn’t immune to such incidents. How this incident proves Signal’s robustness The hackers then used the service to install Signal on a new device: they entered the victim’s phone number, intercepted the text with the activation code and, voilà, got inside their Signal account. These credentials gave them access to Twilio’s internal systems, enabling them to send text messages to users, and to read them. One employee swallowed the bait, went to the fake site and entered their credentials, which fell straight into the hackers’ hands. To do so, they were invited to click a (that’s right) phishing link. Some Twilio employees received messages saying that their passwords were supposedly old and needed updating. ![]() In the case of Signal, this provider is Twilio - and it is this company that the hackers targeted. The sending of such text messages with one-time codes is handled by specialized companies that provide the same authentication method for multiple services. The code must be entered: if it is correct, that means the user does indeed own the number. In Signal, a phone number is needed for authentication: the user enters their phone number, to which a code is sent in a text message. For example, the secure messenger Threema proudly states as one of its selling points that it does not tie accounts to phone numbers. This is common, but not universal practice. Let’s start with the fact that Signal accounts, as in, say, WhatsApp and Telegram, are linked to a phone number. Does that mean that its renowned security and privacy are just a myth? Let’s see exactly what the attack looked like and what role Signal actually played in it. On the pages of Kaspersky Daily, we have often talked about the fact that Signal is a secure messenger, and yet it was successfully attacked. Among these 1900 numbers, the attackers were interested in three specifically, whereupon Signal was notified by one of these three users that their account had been activated on another device without their knowledge. So even though the attack affected a minuscule fraction of the audience, it still reverberated around the information security world.Īs a result of the attack, hackers were able to log in to the victim’s account from another device, or simply find out that the owner of such and such phone number uses Signal. That said, Signal is used predominantly by those who genuinely care about the privacy of their correspondence. Given that Signal’s audience runs to more than 40 million active users a month, the incident impacted only a tiny share of them. What happened?Īccording to the statement issued by Signal, the attack affected around 1900 users of the app. We explain why this incident demonstrates Signal’s advantages over some other messengers. On August 15, the Signal team reported that unknown hackers attacked users of the messenger.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |