from the do-you-feel-secure? dept.
Signal is secure, as proven by hackers:
On August 15, the Signal team reported that unknown hackers attacked users of the messenger. We explain why this incident demonstrates Signal's advantages over some other messengers.
According to the statement issued by Signal, the attack affected around 1900 users of the app. Given that Signal's audience runs to more than 40 million active users a month, the incident impacted only a tiny share of them. That said, Signal is used predominantly by those who genuinely care about the privacy of their correspondence. So even though the attack affected a minuscule fraction of the audience, it still reverberated around the information security world.
As a result of the attack, hackers were able to log in to the victim's account from another device, or simply find out that the owner of such and such phone number uses Signal. Among these 1900 numbers, the attackers were interested in three specifically, whereupon Signal was notified by one of these three users that their account had been activated on another device without their knowledge.
On the pages of Kaspersky Daily, we have often talked about the fact that Signal is a secure messenger, and yet it was successfully attacked. Does that mean that its renowned security and privacy are just a myth? Let's see exactly what the attack looked like and what role Signal actually played in it.
Let's start with the fact that Signal accounts, as in, say, WhatsApp and Telegram, are linked to a phone number. This is common, but not universal practice. For example, the secure messenger Threema proudly states as one of its selling points that it does not tie accounts to phone numbers. In Signal, a phone number is needed for authentication: the user enters their phone number, to which a code is sent in a text message. The code must be entered: if it is correct, that means the user does indeed own the number.
The sending of such text messages with one-time codes is handled by specialized companies that provide the same authentication method for multiple services. In the case of Signal, this provider is Twilio — and it is this company that the hackers targeted.
The next step was phishing. Some Twilio employees received messages saying that their passwords were supposedly old and needed updating. To do so, they were invited to click a (that's right) phishing link. One employee swallowed the bait, went to the fake site and entered their credentials, which fell straight into the hackers' hands.