UPDATE
MIAMI–Markus Vervier and Jean-Philippe Aumasson have spent the past six months poking security holes in the end-to-end encryption protocol Signal, all on their free time. And they have been successful in privately disclosing what they consider more than a half-dozen flaws to Signal, most of which have been patched.
“Signal is one of the most secure messaging platforms. But our research shows that even the most secure things still have bugs,” said Vevier, who joined Aumasson during a talk Friday at the Infiltrate Conference.
The short version of their talk was that no company should ever rest on their security laurels and Signal is no exception. “Signal has a huge code base, which is largely under-analyzed,” Aumasson said. “Protocol implementations have room for improvement.”
Signal is one of the most popular and trusted end-to-end secure messaging apps. The encryption protocol was developed by Open Whisper Systems and is used by millions. It can be found in Signal’s own app and is also used in WhatsApp and Facebook’s Messenger “Secret Conversation” mode, and Google’s Allo encrypted messaging service.
Aumasson and Vervier discussed past vulnerabilities, including those found in the Signal Android client and in the underlying Java libsignal library. Then both showed how each of these bugs have been used to crash Signal remotely, bypass the MAC authentication for certain attached files, and how to trigger memory corruption bugs.
It should be noted, demos shown were using older versions of the Signal app on unspecified hardware.
For its part, Open Whisper Systems has supported their work and when appropriate, it has addressed their findings, according to Vervier.
Open Whisper Systems told Threatpost that the researchers have only brought one bug to its attention in the past six months. That bug was the researchers’ most high-profile bug found in September, when Vervier and Aumasson figured out a way to corrupt attachments sent via the Signal Messaging App.
“These researchers communicated one bug report to us six months ago concerning the ability to corrupt attachments larger than 4 gigabytes received by the Signal for Android client. Even though it was very low risk to Signal users, we fixed it within hours,” said Moxie Marlinspike, Open Whisper Systems’ founder.
In other cases, more trivial bugs have not been patched. Researchers say Signal has told them some of their bugs are too benign and obscure and don’t need to be fixed. “They tell us the attack model, from their standpoint, is not realistic,” Vervier said.
But both researchers disagree. A bug, as impractical as it may be to execute, is still a bug.
“We haven’t found any glaring security holes. But we have found a lot of non-critical vulnerabilities some might call imperfections. Nevertheless, we would like to show that there are ways Signal can better protect their users,” said Vervier.
In another demo of a bug found two weeks ago, the researchers showed how a malicious Signal user could surreptitiously send invalid public keys to other users. “An attacker who knows that the public key is invalid could decrypt one message, but only in a far-fetched scenario,” Aumasson explained.
“In the cryptographic mechanism used here (a variant of the Diffie-Hellman key agreement, a widely used technique to establish session keys also used in TLS), public keys must satisfy certain criteria in order to be secure. If these criteria aren’t satisfied, the session keys established through that mechanism become predictable to an attacker.
“The lack of key validation (i.e. the verification that public keys are not invalid) is therefore not a major security risk. But I believe that validating keys would make Signal even more secure and robust against maliciously or accidentally invalid keys,” the researchers explained.
In this farfetched example, researchers explain, communications would be intentionally compromised by the sender. The goal, could be to give the message recipient the appearance of secure communications in hopes they may be comfortable sharing something they might not otherwise.
To be clear, Signal and the researchers don’t see eye to eye when it comes to identifying what is a Signal bug.
“Signal uses the X25519 function in the way it was designed. There is no bug here, and no attack. The authors are proposing that someone could intentionally modify and recompile Signal to sabotage their own communication. Not third party communication,” Marlinspike said.
“People could also intentionally install malware on their own device, intentionally backdoor their own random number generator, intentionally publish their own private keys, or intentionally broadcast their own communication over a public loudspeaker. If someone intentionally wants to compromise their own communication, that’s not a vulnerability,” Marlinspike said.
“It’s absurd to claim this is a flaw in Signal, or the Signal Protocol. These claims are using confusing, technical-sounding language to mislead people into thinking there are flaws which simply don’t exist,” he said.
A big part of keeping Signal safe is also acknowledging the attack surface extends to vulnerabilities in both Android and iOS that weaken the platform – albeit indirectly. Signal is not an island unto itself. It is part of a security ecosystem that includes Android and everything that Signal touches, said Vervier.
“Even if Signal were 100 percent secure, all the components that are connected to it are very shaky,” Vervier said during his session.
In one example, researchers sent an SVG image file with a malformed value to the Chrome Signal browser extension. When the recipient opened the image, the device crashed. To blame were vulnerabilities in the Chrome media libraries. “This is not Signal’s responsibility to fix, but it should be somebody’s responsibility. It just weakens the Signal platform,” Vervier said.
Researchers count this as one of the bugs or flaws in the Signal ecosystem that should be addressed.
The most recent Signal bug the researchers found is tied to a message replay flaw, according to Aumasson and Vervier. They said an attacker could carry out a replay attack on two fully authenticated parties that are using Signal for the first messages of a session. Here how the attack works.
Signal tries to remember previously established sessions and does not accepted the same session and messages twice. By abusing limitations of the protocol and implementation, the researchers were able to circumvent this protection.
“As a result, a man-in-the-middle attacker may record and replay the initial messages of a conversation and replay them later. The replayed messages will appear valid and are accepted by the receiving Signal client as coming from the other party,” according to the researchers.
While a replay attack does not allow adversaries to decrypt message contents, a replay attack could be effective in scenarios where they already know what is transmitted. “This especially applies to messages that belong to communication protocols parsed by (IoT) machines where actions could be triggered in a predictable way,” Vervier said.
Both researcher say the attack surface of Signal is large. They argue, if in just six months – on their free time – they were able to find a wide range of bugs dedicated researchers could find many more.
“We don’t see why Signal can’t address some of these flaws. I’m guessing it’s not going to cost them anything,” Vervier said. “If it’s weak, it should be fixed and users should know about it. I’m sure we aren’t the only ones trying to figure out how to break Signal.”
(This article was updated 4/11/2017 at 8:30 pm ET and includes additional information from Moxie Marlinspike, Open Whisper Systems’ founder.)