Signal Messenger Eavesdropping Exploit Confirmed—What You Need To Know
On January 29, I reported how iPhone users were exposed to a FaceTime eavesdropping exploit. That exploit enabled an attacker to listen to FaceTime users by calling the target, even if they didn’t pick up the call. In something of a deja vu moment, it has now been confirmed that a similar “call not completed” exploit could be used to listen in on Android users of the secure Signal messenger app. Here’s everything you need to know.
How did the Signal eavesdropping exploit work?
Natalie Silvanovich, a security engineer who is part of Google’s vulnerability research team at Project Zero, has disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge. In a similar fashion to that FaceTime vulnerability that was reported at the start of the year, an attacker could call the victim and initiate an “auto-answer” without the user accepting the call.
The bug allowed a hacker to phone a target device, and the call would be answered without the recipient needing to accept the call, essentially letting the hacker listen-in on the victim. “When the call is ringing, the audio mute button can be pressed to force the callee device to connect,” Silvanovich said, “and audio from the callee device will be audible.” By pressing the mute button quickly enough, the attacker could reduce the chances of the victim being aware that a call was even made. Unlike that FaceTime exploit, however, Silvanovich said that only audio could be spied upon as “the user needs to manually enable video in all calls.”
How dangerous was this Signal exploit?
Anything that can bypass privacy measures for a service where calls are, according to the Signal home page, “painstakingly engineered to keep your communication safe,” has to be taken seriously. Especially given how Signal is used by many political activists, dissidents, and investigative journalists where privacy is more than just a buzzword.
The method disclosed by Silvanovich to eavesdrop on Signal users would require the attacker to first change the code of the Android Signal app by replacing the method “handleSetMuteAudio” in the file “WebRtcCallService.java” and then rebuilding the client after. This takes it out of the scope of the causal attacker.
You can also throw in the further mitigation that only the Android app was at risk as an error in the iOS client user interface prevented the call from completing.
What do you need to do now?
The eagle-eyed reader will no doubt have noticed I have been using the past tense. Open Whisper Systems told Vice that the issue was fixed on the same day, September 27, as it was reported.
However, ZDNet reports that while the fixed version (Signal 4.48.13) was released via GitHub on October 4, it does not appear to have reached the Google Play store as of yet. The latest update to the Android app at Google Play is 4.47.7 which was updated on October 1.
As long as you ensure that your Android Signal app is automatically updated to the latest version as these are released, your risk of being spied upon using this exploit remains very low indeed. If you are downloading something like Signal from a non-trusted third-party store you already have privacy problems.
Do I still trust Signal to provide a secure messaging experience? You betcha. There have been reports of problems with WhatsApp and Telegram that have concerned me more than this, and supposedly secure replacements have also found to be wanting.
–
Updated October 5 with further information regarding the nature of the modification to Signal code required