You are viewing a single comment's thread from:

RE: Switching System 7 (SS7) Security flaws

in #hacking8 years ago (edited)

This is a great article, but this part is somewhat incorrect.

What about Signal and WhatsApp you say? Well guess what, if an attacker knows your phone number, they can hijack your Signal or WhatsApp application by sending a forged SMS message. They just hack the SMS messages through SS7, and snatch away the target’s Signal account. The only way you would know about it is when you no longer get any Signal calls or text messages.

In the case of signal, message content isn't routed over SMS. Only the initial device handshake when you setup the device. The rest is direct to their servers via https and it uses an asymmetric key system on top of the TLS stuff.

When you add a new contact it's just registering their public key in a manner similar to GPG. Signal really is just a glorified GPG client under the hood. Signal's entire customer database is comprised of "phonenumber, publickey" and that's it. We know this because they have been served in the past with a request that amounted to "tell us everything you know about persons, x,y & z".

Message notifications are sent out using push messages, which do route over SMS. But push is a service of the OS provider such as Google, Apple or Blackberry. If these are being held up, alot more than signal is going to fail.

They couldn't be blocked except at the carrier level. The device will fall back to periodic "wakeup" polling if no new notifications are received after a certain length of time. Again this is ajax style polling and occurs over https.

So just to be clear, it's not that you wouldn't get notifications or messages. It's the LEA could get a copy of the little bit of info that says "wake up, you have a message". Thus the most they could deduce is that someone, somewhere sent you a message via signal. They can't get at the message itself since the process of actually checking the message involves something similar to JWT and they would need to eavesdrop the https in order to get the token. Also they wouldn't be able to know who you are talking to without subpoenaing Moxie Marlinspike and pals.

Just wanted to clarify, it's an awesome article though!
Upvoted and resteemed!

Sort:  

That's an article I couldn't write and almost barely understood. Post it! :)

Lol I think I just did. If you want more depth and details upvote this and I'll make it my next topic.

That is right, it's the initial signup where Signal sends an SMS with a code. But, if that SMS is intercepted by a third party, Signal won't know that. Also, during that initial process (correct me if I'm wrong), a key pair is generated, where your public key is stored on their server which it identifies as you, as you explained above. But your description is correct. You are right, I failed to mention that part, but it was well documented elsewhere.

It identifies not as you as the person, but as the phone number (MDN) along with a keypair. There isn't a concept of personages, just MDNs. The MDN is tied to a publickey, and the private key is on the device. Thus if the SMS is redirected, then the initial setup handshake would just fail. But you still need to communicate ownership of the MDN out of band with your contacts.

This is why signal checks your contact list and automatically begins to share public keys. IMHO this is the biggest vulnerability with signal. It should ask you for each contact if you do or do not want to go encrypted with that particular contact and it should allow you to reject. Otherwise anyone who has you in their contact list will know you are on signal. This is more of an OPSEC vulnerability than a real issue though.

One other place where signal looks to be failing is it looks like it is in fact public key per MDN instead of a unique key per contact pair. Dang it, you got me deep diving their code base now :D
Guess I'll make a post and maybe compare signal vs silence.