In today´s world where privacy, anonymity and confidentiality are a required in our day-to-day communications, those features are something most users expect when using a communication tool such as Signal from Open Whisperer Systems. Unfortunately a lot of users tend to mix or use as synonyms each one of those concepts when in reality they are not interchangeable. To clarify this, let’s take a quick look into the meaning of each of them in terms of communication.
Privacy: refers to the freedom from public intrusion into one’s personal matters, and personal information.
Anonymity: refers to maintaining your real identity hidden and not being recognized as the author of a message or communication.
Confidentiality: refers to processes used to keep information accessible only to an authorized person or group, including when exchanged between two or more individuals or organizations.
The three are related in terms of communication security, but they are not the same, and it is dangerous to overlook those differences when using a communication application such as Signal and not fully understanding its implications and limitations.
In the following example two phones were used to simulate communication between them using Signal’s network to illustrate why anonymity is not insured by this type of application.
The following image shows a network capture where we can see in action the Signal protocol’s end to end encryption; this is what makes it possible to maintain the privacy of the contents of our communications:
The content of the message is protected by the Signal protocol, but even then we leave traces that could disclose who we are. Those pieces of information, known as metadata, allow an attacker to identify Signal users and become subjects of other measures to breach our security.
How is it possible to identify among all the traffic who are users of Signal? Well the answer is simple: even when the content of our communication is encrypted and only the recipient can read it, in order to reach its destination the message must pass through a server that belongs to the Signal network so it can be routed the correct destination. To do that it requires using the domain name service (DNS) to know what IP address belongs to that server – here is where we show to the world that we are using Signal:
That trace showing a connection to “whispersystems.org” gives an attacker a lot of information such as what IP addresses are trying to connect to Signal and to what servers. For this example 10.0.1.123 and 10.0.1.120 are possible users communicating by Signal. Also it shows that at least two Signal servers were queried for this example: 22.214.171.124 and 126.96.36.199. These pieces of metadata will allow an attacker to review the network trace and find out if the users were communicating with Signal’s servers.
It’s important to note that Signal protocol hides the ID of the recipient of our messages; its encryption mechanism makes sure of that. But next we discuss a feature that could expose the intended person with whom we would like to exchange information.
Signal aims for privacy not anonymity!
In the scenario in which a whistleblower tries to reach another person using Signal, the whistleblower requires anonymity from the very start, since he is likely risking his career, job or even his life. Our findings presented in the following show why Signal can fall short of this important requirement.
In the whistleblower scenario, one phone number will be known for the whistleblower, the number of the person or organization which he will try to give information regarding something illegal or unethical, but the number of the whistleblower is not known to the organization, yet. Signal has a very peculiar way to handle this type of scenario, and to complicate the matter, this behavior is different depending on which phone operating system the whistleblower wants to use.
On Android phones, it’s possible to send a message using Signal without having to add the number of the person to your contacts lists, although that user must be a Signal user to insure the message will be encrypted by Signal. If the other user is not using the Signal app yet, Signal will send an insecure message to that user using SMS.
In iOS, the contact must exist first in your contact list, otherwise the application doesn’t allow you to input the telephone number to send a message. This issue wouldn’t be so bad if not for the fact that trying to contact a phone number that is not in your contact list will cause Signal to request that you send a regular SMS to invite that person to download Signal.
With this behavior the application is forcing the whistleblower to use an insecure communication channel and even expose his or her use of Signal. Even worse, both parties could be identified as Signal users if the attacker has access to the mobile carriers’ SMS machines. Remember SMS usually will use the carrier’s data network, over which we have little to no control at all.
The preceding example demonstrates that Signal was never meant to make the user anonymous but to protect the privacy and the content of his conversation. As a security conscious user you must keep the application updated and stay informed regarding any news involving the security of the application in order to minimize the risk that Signal, like any complex application, will have bugs and some of those bugs can be exploited to breach the security of the application.
Again, this is not to say that Signal is a bad tool, but the user’s expectation sometimes are dead wrong, for example as we note here with respect to anonymity. Also, we have the tendency to believe in silver bullets for specific problems, and in the digital world nothing is simple and many concerns are far from having a simple solution or magic answer.
Moving towards anonymity
Regarding anonymity, the issue requires several modifications on both sides of the equation, the users and the application. If the users really want to be anonymous, the communication behavior must change, including where they connect, what type of information is exchanged (using as little as possible), looking for other methods to increase anonymity (randomize MAC address), connecting from different networks, etc.
On the application side, we believe Signal should change its subscription model in order to achieve anonymity. Today’s model in Signal ties your identity to a mobile number. Your mobile number becomes your ID within the Signal’s network, but then that makes you unique in that sense. A phone is vulnerable to different discovery approaches and makes you distinguishable not only on Signal but also identifies you in the carrier’s network. That makes you less than anonymous, since your mobile number usually is linked with your ID in the real world.
Prepaid or “burner” phones exist, but not in all parts of the world do prepaid phones help you with your anonymity. Furthermore, such phones must still be smartphones to use an app like Signal, which makes them more expensive. Although Signal will work on iPads and Ipods, Signal has been slow to keep its app working on Android tablets. The iPod represents a moderate expense option for use with Signal, but this still has the issues with MAC and network identification, as noted above. (Note: Amerandus Research has supplied iPods for dedicated Signal use to several of those with whom it works or for whom it has consulted.)
If anonymity is the goal, an application must use a subscriber model that allows generation of an identity completely separated from anything that can link us to our real world identity. A monthly plan mobile phone number produces the opposite of that goal, which is why an account-based model is more likely to help to protect your anonymity, if handled correctly. Just to be clear, anonymity will not be achieved by a single application or procedure. Anonymity is more a lifestyle, and if you are planning to use Signal or similar applications in today´s environment, they will help you to protect your privacy up to a point; but to hide your identity in order to become anonymous most likely will fail if you don’t take additional steps.
To finalize this article, I would like to discuss the importance of the security of the communication end point, your mobile device. During this study of the Signal app, I noticed a detail about how Signal handles the registration and deregistration of a user, and how that process could be exploited to get the content of your communications without your knowing.
In this scenario there are 3 players involved. Bob who talks with Julia regularly using Signal, and Mr. Blackhat, who wants to know what is being discussed between Bob and Julia. Mr. Blackhat is using another device with Signal installed but not registered yet. In these tests, an iPod 6th generation was used to demonstrate how even a device that doesn’t have access to a mobile carrier network can be compromised.
Mr. Blackhat, by social engineering (e.g. to get hold of Bob’s mobile) or by exploiting a vulnerability in Bob’s mobile, momentarily gains can access to the SMS in Bob’s mobile. Now he registers his iPod with Signal using Bob´s mobile number. Signal sends a warning that Bob’s number is already registered, but nevertheless, still sends the activation code to Bob´s number by SMS, which Mr. Blackhat can read by the initial exploit/access. Now Mr. Blackhat enters the authentication code and proceeds to erase the message to cover his tracks. At this point Mr. Blackhat has successfully hijacked Bob’s future communications using Signal!
Later in the evening Julia sends information to Bob, but Signal warns Julia that the identifying key material for Bob’s phone has changed. That could mean one of two things: either Bob reinstalled the application, or somebody is trying to intercept the communications. Signal then gives advice on how to verify this, but Julia, either not being technically savvy or overconfident, dismisses the warning and continues messaging Bob without suspecting that actually she is now talking with Mr. Blackhat.
Mr. Blackhat is now talking with Julia and Bob is unaware of all this. Signal never sent a warning that his device has been deregistered from the network. The first sign to Bob that something is wrong appears when he tries to contact Julia. His messages don’t go out, and what makes it worse is that the only thing that the application tells Bob is that there was an issue. After several attempts, Bob uninstalls and reinstalls the application, and with the new registration the conversation with Julia can be resumed.
The issue with this low tech hack is that Mr. Blackhat is taking advantage of how Signal works. In this case, the designers put their faith in the idea that all users are paranoid and sophisticated enough to avoid skipping and dismissing warnings like the one received by Julia. Just as importantly, Signal does not notify Bob of his device being deregistered or the specific reason why his messages can’t get through, e.g. his device has been deregistered.
This preceding scenario shows that security awareness can help to mitigate the imperfections of our tools.
Signal has been designed from the ground up to protect privacy and confidentiality of message content, but anonymity as to the identity of users has to do more with the way you use the application and understanding its limitations.
Keep in mind that maintaining a proper security of the endpoint (your mobile) is extremely important to minimize your risk to expose yourself and your information.
Understand the operational capabilities and limitations of the tools you are using.
As with any complex software, bugs will appear and those bugs can and will be used when possible to exploit the tool and to breach the confidentiality and privacy of the communications
Become a good user by being security aware.
Nick answers a few questions about Signal and alternatives
Rob: OK. So why should our firm recommend an application like Signal that may not protect users’ anonymity?
Nick: The issue is not Signal by itself. Any application, no matter how well designed, will have some security issue. When I recommend a tool, I always remind the potential user that a tool is no substitute for security awareness and best practices. In this specific case, if only privacy is required Signal is quite useful, but if anonymity is critical, I would look for other solutions.
Rob: The next question for our users is whether there are similar apps that are better in protecting anonymity? Threema and WickR are two other secure messaging apps. Are they superior? Are any others?
Nick: Well we could carry an evaluation from the user point of view. A peer review requires access to the source code among other things, and an in depth analysis of that code plus any infrastructure involved in the solution. Since software by itself is not a standalone entity; it operates in complex environments, and sometimes the environment is part of the problem.
In fact, in order to achieve some degree of anonymity at present time, a laptop is a better solution since it can run OSes that help in that area. I think a solution for secure communications that achieves privacy and anonymity should start with the hardware and OS (eg laptop/Tails), and then a specific application for communication such as Signal running in a secure platform. At this point a handheld device such as smartphones has too many security issues.
Rob: With respect to using Tails, our less sophisticated users have resisted the added steps of employing Tails, not to mention creating new, more anonymous communications accounts.
As you know, we have generally tried to dissuade users for years from relying on email, yet it has proven almost impossible to prevent the vast majority of users of modest technical sophistication from demanding email communications.
There is a new email system from Ladar Levison that claims to significantly protect email metadata, and not just the content of messages. On January 24, 2017, Levison announced:
“In 2014, with Kickstarter funding, I started the development of the Dark Internet Mail Environment (DIME), a revolutionary end-to-end encrypted global standard and Magma, its associated DIME capable free and open source mail server. Today, I am proud to announce that we are releasing DIME and Magma to the world. DIME provides multiple modes of security (Trustful, Cautious, & Paranoid) and is radically different from any other encrypted platform, solving security problems others neglect. DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority. DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology.”
Should we let readers know that we will be looking into the DIME-based email system as another potential alternative that could make protecting metadata and anonymity easier? Or do the claims sound too good to be true?
Nick: DIME is very promising because it tackles security issues that other solutions at this time neglect, but until it´s adopted by the main players and forced into a wide adoption, it will be just another tool that will have several limitations. Unfortunately, with current technology and security, the best approach is to use technology as a tool instead of a solution. Also, users that desire true anonymity must understand that security training is not optional considering what they put at risk (reputation, family job or even life), and most do make a conscious effort to educate themselves about cybersecurity, or at the very least the limitations of their tools that they use. That is what someone reading this post is most likely doing.
Nick Altamira is the pen name of a SANS certified incident and forensic security expert who has worked with Amerandus Research for many years to help educate and protect the security and privacy of communications among whistleblowers, plaintiffs, attorneys, investigators, and auditors.