Signal is secure, as proven by hackers:
On August 15, the Signal team reported that unknown hackers attacked users of the messenger. We explain why this incident demonstrates Signal's advantages over some other messengers.
According to the statement issued by Signal, the attack affected around 1900 users of the app. Given that Signal's audience runs to more than 40 million active users a month, the incident impacted only a tiny share of them. That said, Signal is used predominantly by those who genuinely care about the privacy of their correspondence. So even though the attack affected a minuscule fraction of the audience, it still reverberated around the information security world.
As a result of the attack, hackers were able to log in to the victim's account from another device, or simply find out that the owner of such and such phone number uses Signal. Among these 1900 numbers, the attackers were interested in three specifically, whereupon Signal was notified by one of these three users that their account had been activated on another device without their knowledge.
On the pages of Kaspersky Daily, we have often talked about the fact that Signal is a secure messenger, and yet it was successfully attacked. Does that mean that its renowned security and privacy are just a myth? Let's see exactly what the attack looked like and what role Signal actually played in it.
Let's start with the fact that Signal accounts, as in, say, WhatsApp and Telegram, are linked to a phone number. This is common, but not universal practice. For example, the secure messenger Threema proudly states as one of its selling points that it does not tie accounts to phone numbers. In Signal, a phone number is needed for authentication: the user enters their phone number, to which a code is sent in a text message. The code must be entered: if it is correct, that means the user does indeed own the number.
The sending of such text messages with one-time codes is handled by specialized companies that provide the same authentication method for multiple services. In the case of Signal, this provider is Twilio — and it is this company that the hackers targeted.
The next step was phishing. Some Twilio employees received messages saying that their passwords were supposedly old and needed updating. To do so, they were invited to click a (that's right) phishing link. One employee swallowed the bait, went to the fake site and entered their credentials, which fell straight into the hackers' hands.
(Score: 2) by Thexalon on Monday December 12, @05:49PM (4 children)
1. There ain't no such thing as a 100% secure system.
2. All this has proven is that they were able to catch these particular bad guys. It does not prove there aren't other bad guys who got in via other means.
3. Regardless of their claims to the contrary, given the right legal incentives, I can guarantee you that Signal, just like any other corporation, would help a government spy on their users without notifying them. Why? Because the incentives are all in favor of doing what the government says, including but not limited to the continued existence of Signal as an enterprise.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by driverless on Monday December 12, @06:32PM (1 child)
If you want to attack and totally pwn Signal, attack its supply chain. With its braindamaged constant forced updates (it actually disables itself if you don't play along with its crazy Red-Queen game) you can completely own every Signal install on the planet by targeting that. Some years ago an NSA head actually pointed this out, the quote was something like "what if the NSA runs into a security system you can't break?", response "that's what updates are for".
So no, Signal is not more secure than other systems.
(Score: 0) by Anonymous Coward on Tuesday December 13, @03:00AM
(Score: 0) by Anonymous Coward on Tuesday December 13, @03:05AM (1 child)
Same goes for WhatsApp etc.
(Score: 2) by Thexalon on Tuesday December 13, @11:34AM
If you've never seen that code, just like I haven't, you'd have no way of telling. And even if you did, any server-side code that might be involved to, say, find the person you're chatting with when you're initiating a chat, you still wouldn't know even if you've reverse-engineered what's on your hardware.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by richtopia on Monday December 12, @08:13PM
From my research, Signal is the best option for secure communication. It isn't perfect; the dependence on a central infrastructure has me uneasy, but most users don't want to be concerned with running a server or even picking a server to trust.
Only issue is that WhatsApp and even Telegram are more popular. I don't run a drug ring so I don't have the authority to mandate my friends use Signal for correspondence. Hell, 90% of my communication is still through text or phone calls.
(Score: 3, Insightful) by bmimatt on Monday December 12, @08:46PM
All this really means that they gained access through phishing, a form of social engineering. They found a weak point to be a person that gobbled the bait. This has no real bearing on the level of security provided by the Signal code itself, other than integration with Twilio.