Signal Compromise: What to Know

If you've been following the news in the Tech world over the past 48 hours you'll know the revelation that's now too big to hide: Signal Foundation has disclosed that its messenger system has been compromised leaving millions of accounts exposed, including government representatives and journalists. This is no doubt the work of nation state actors (all signs pointing to the Russians) but, and I can't emphasize this enough, you were warned. 

Signal is not and has never been 'secure', despite what the marketing tells you along with the criminally stupid parrots or bad faith actors you'll find online. Its primary draw has been convenience: it claims and end to end encrypted messaging, calling, and video conferencing app that (so they say) has 'never been broken'. Its just so doggone easy that its a one stop shop for making all your bad dreams into good ones. The devil is in the details. Signal's data is centralized, meaning all of its pass-through traffic is located in one place (think of a storm drain here and you get the idea). In case you didn't know, that place is Amazon Web Services. Not good for privacy. Further, Signal requires an account to be registered with a phone number, which is in turn tied to a laundry list of metadata even if the user is generating 'randomized' phone numbers. Real life is not a Jason Bourne movie and, since the US Government was dumb enough to authorize sensitive data to be passed along Signal's network (because their own assets built it, but that's another story), it became a big juicy target for foreign intelligence services both friend and foe alike. All that's needed is a target's phone number and a winning attitude. 

As I've shouted from the rooftops for years, Signal is nothing more than another white side messaging app. There should be zero expectation of privacy on it, let alone security nor anonymity. Because its white side, no sensitive data should be passed through it. I don't care what big bruv gov says, they're wrong and never authorize anything they do not have a backdoor into as it is, but now we know the rest of the world does too. 

What actually took place (this time, anyway) was a relatively simple phishing attack. Any user can see a list of registered accounts on Signal by simply searching phone numbers. Take a list of those numbers registered to a geographic area (DC is a great place to start) and blast out a link designed to harvest the target's data when they click. Very simple attack nearly as old as the internet itself. Once you've got that then you're in - you've got the account data in real time. Wasn't sophisticated by any means as they claim. 

So - what does this mean for you? I'll say again that Signal is not nor should it be considered in any way secure. It lacks basic security features such as masking users' data which is in part by design. Signal Foundation cannot nor will they change this. Its a feature, not a flaw, as part of the program's original mission: to have a government use messaging app that bridged mobile devices to computers in a centralized system that could be supervised. That's why their boss, Katherine Maher, is a hand picked spook who comes from a family of spooks. Doesn't mean don't use it, just means don't use it for anything serious. And if you do, don't be shocked by the consequences. 

Serious alternatives must have the following characteristics: decentralization, open source code, and a random user hash generated as the account identification. It also needs to have basic privacy interfaces such as a notification when screenshots are taken. Signal doesn't do this much to the woe of many dumb users getting caught using their inside voice outside in a dumbass group chat. There's too many to name these days and keep in mind this list is in perpetuity - what we do today we might not be doing next week - but some strong options are SimpleX, Session, Briar and DeltaChat. Do not, and I can't stress this enough, pay for a messaging app if you're at all concerned about obscuring metadata. For starters its stupid with the sheer number of great free options, but also it creates yet another metadata blip on your attack surface. The four I mentioned each create a random user hash, are end to end encrypted (and have been independently audited by someone other than a trust-me-bro) and, most important, do not host users' data on AWS. 

As always this goes hand in hand with sound tradecraft practices like compartmentalizing your contacts and keeping your electronic devices shielded from connectivity when not in use. Woe unto he who doesn't use a faraday bag to protect his mobile devices.