Signal is a popular messaging app often touted as a secure, end-to-end encrypted platform created by respected cryptographer Moxie Marlinspike. He founded the privacy-focused Open Whisper Systems (OWS), which later morphed into the Signal Foundation. Signal, the app, is available for Android, iOS, and desktop platforms.
Signal uses the Signal Protocol, an open-source encryption system audited by security experts and (possibly) thoroughly examined by its attackers.
The Signal Protocol uses the following encryption algorithms:
- Curve25519: An elliptic curve cryptography (ECC) algorithm used to generate the Diffie-Hellman keys for the X3DH handshake.
- AES-256: A symmetric encryption algorithm is used to encrypt the messages after the X3DH handshake has been completed.
- HMAC-SHA256: A message authentication code (MAC) is used to authenticate the messages and prevent tampering.
The Signal Protocol also uses the following additional features for security:
- Double Ratchet Algorithm: A key-exchange protocol that generates new keys for each message, making it impossible to decrypt past messages if a key is compromised.
- Prekeys: A system of temporary keys that prevent an attacker from blocking communication if they can compromise a user's current key.
- Forward secrecy: A property of the Signal Protocol that ensures that if an attacker can compromise the keys for all past messages, they will still be unable to decrypt future messages.
While the Signal Protocol seems safe for a pre-Quantum communications environment, this blog post will examine some of the most significant Signal vulnerabilities, previous attacks, and notable interactions with law enforcement.
One of the most serious Signal vulnerabilities is CVE-2023-24068. This vulnerability allowed an attacker to modify or replace conversation attachments in the “attachments.noindex” directory. This directory stores attachments that have been deleted but have not yet been purged from the system.
The vulnerability existed because the Signal desktop client did not properly validate attachments when they were being loaded. This meant an attacker could create a malicious attachment that, when opened, would execute arbitrary code on the victim's computer.
Exploiting vulnerabilities like CVE-2023-24068 requires the attacker to have physical access to the victim's computer. However, this is not a difficult requirement, as most people leave their computers unlocked and unattended at some point.
CVE-2023-24069 was a vulnerability in how Signal Desktop handled files sent via Signal. When a file is sent to a Signal chat, the desktop client saves it in a local directory. This directory was not encrypted, so an attacker with local access to the computer could recover deleted files.
The vulnerability was particularly concerning because Signal is positioned as a secure messenger. All communications via Signal are encrypted, but the files were not. An attacker could steal sensitive files, such as images, documents, or videos, by gaining local access to the victim's computer.
Signal released a patch to fix the vulnerability. If you are using Signal Desktop, you should always have installed the latest version to protect yourself from these vulnerability types.
Another serious Signal vulnerability is CVE-2022-28345. This vulnerability allowed an attacker to spoof the appearance of a URL in the Signal app. This can trick the victim into clicking a malicious link, which leads to the introduction of malware or other unwanted software installations.
The vulnerability existed because the Signal app did not properly handle RTLO-encoded URLs. RTLO encoding is a technique used to obfuscate a URL's appearance. This can be useful for hiding malicious links from users.
Exploiting this vulnerability requires the attacker to know the subdomain of the target URL. This is because the Signal app only decodes RTLO-encoded URLs that begin with a non-breaking space.
CVE-2020-5753 was a security vulnerability in Signal Private Messenger Android v4.59.0 and up and iOS v18.104.22.168 and up. The vulnerability allowed a remote non-contact to ring a victim's Signal phone and disclose the currently used DNS server due to ICE Candidate handling before the call is answered or declined.
ICE (Interactive Connectivity Establishment) is a protocol Signal used to establish a connection between two peers. During the ICE negotiation process, each peer sends the other a list of potential candidates for the connection, such as IP addresses and ports. The peers then select the best candidate for the connection based on latency and bandwidth.
The vulnerability in CVE-2020-5753 occurred when a remote non-contact rang a victim's Signal phone. During the ICE negotiation process, the non-contact could send the victim a list of candidates, including a DNS server they control. The non-contact can see the victim's DNS traffic if the victim's Signal app accepts the candidate.
Attackers used this vulnerability to track the victim's online activity or intercept their communications. The vulnerability was patched in Signal v4.60.0 for Android and v22.214.171.124 for iOS.
Signal users were affected by an attack in August 2022, when a phishing attack on Twilio, Signal's phone number verification provider, exposed the phone numbers of 1,900 Signal users. However, we do not know if the attackers could access user data, including message history, contact lists, or profile information.
The attackers were able to exploit a vulnerability in Twilio's customer support console. The attackers accessed the console by sending phishing emails to Twilio employees. The emails contained malicious links that, when clicked, would install malware on the employees' computers. The malware gave the attackers access to the employees' Twilio accounts, which allowed them to view and download data from Signal users.
The data the attackers accessed included the phone numbers and SMS verification codes of 1,900 Signal users. This information could be used to re-register the users' phone numbers to another device or to impersonate the users and send them fraudulent messages. However, the attackers could not access other data from Signal users, such as message history, contact lists, or profile information.
This attack highlights the importance of security hygiene for both individuals and organizations. Employees should be trained to avoid phishing emails and to never click on links in unsolicited emails. Organizations should also have strong security controls to protect their data from unauthorized access.
In 2019, Signal was targeted by FinFisher, a company that sold surveillance software to governments. The FinFisher hackers were able to exploit a vulnerability in Signal's desktop app. The vulnerability was in the way that Signal handled file attachments. The FinFisher hackers were able to create a malicious file attachment that would exploit the vulnerability and give them control of the user's computer. However, Signal's encryption prevented the hackers from accessing any of the user's messages. Signal quickly patched the vulnerability and notified its users.
In 2015, it was reported that FinFisher executives sold the system to Turkey to enable their security services to spy on government opposition parties. This sale was illegal, as FinFisher is required to secure an export license from the German government. In 2023, four former FinFisher executives were charged in Munich with failure to apply for an export license for the $5.4 million contract.
As a result of these charges, FinFisher filed for insolvency in March 2022. The Munich Public Prosecutor's Office seized the company's assets, and its employees were laid off. FinFisher is no longer in business, and as of 2023, its website has been taken down.
It is important to note that FinFisher is still being used by some government agencies. In 2023, the Carnegie Endowment for International Peace found evidence that FinFisher was still being used to target human rights defenders in Egypt and journalists in over 20 other countries. FinFisher will likely continue to be used by governments for surveillance purposes, even though the company that developed it is no longer in business.
In a 2021 gun-trafficking case in New York, it appears the FBI possesses a tool to access private Signal messages. Court documents revealed encrypted messages could be intercepted by a software element from iPhone devices in “partial AFU (after first unlock)” mode. This means the phone has been unlocked once but not turned off since then. In this state, encryption keys are stored in memory and can be accessed by law enforcement with the right tools.
It is important to note Signal itself has not been cracked. Although the FBI relies on physical access to the device and a court order to obtain the data, the fact that the government may have this capability concerns privacy advocates. It means that even if you use a secure messaging app, your messages may not be as safe as you think if your phone is ever seized by law enforcement or a malicious party with cyberwarfare capabilities.
Although these are just seven of the most significant Signal vulnerabilities and attacks found in recent years, there are likely other vulnerabilities that have not yet been discovered. It is important to be aware of these weaknesses so that you can take steps to protect yourself from them. Lastly, Signal is not currently PQC-secure, which means Signal is not currently quantum-resistant (and subject to “Steal Now, Decrypt Later” attacks). Still, it does appear there is an effort to implement CRYSTALS-Kyber into the Signal Protocol.