There has been much heat and light written in the wake of (what is now being called) SignalGate.

I, myself, wrote in The Conversation about what this incident teaches us about the dangers of shadow IT, and the need for usable security.

But this post is not primarily about that.

Many people have noted that this incident was dangerous not because Signal was being used (as opposed to any other end-to-end encrypted messaging platform). But because any public messaging platform was being used from ordinary phones.

One common way to explain the risk here is that personal devices are vulnerable to being hacked, and if your device is hacked Signal won’t protect you.

While hacking iPhones is expensive (exploits sell for millions of dollars), doing so is certainly not out of reach for foreign intelligence services. Nor is it out of reach for spyware manufacturers like NSO Group and its customers, which include governments around the world. The products of spyware companies like NSO Group reportedly hack iPhones to spy on encrypted communications.

With all of this in mind, government cyber security personnel do well to operate under the assumption that personal devices are already compromised.

But perhaps there are even easier ways to exploit this situation.

More straightforward SignalGate threats than device hacking

Suppose Eve is working for a foreign intelligence service and knows that senior Trump national security officials routinely discuss sensitive topics over Signal, using relatively short-lived Signal groups created on-demand. Let’s suppose Eve wants to get access to sensitive material. There is no need to hack somebody’s device to do so. All she needs to do is get herself added to one of these groups.

I contend that doing so is probably easier than we might hope. (Though surely I’m not the first to make this claim.)

Let’s suppose that Alice and Bob are both senior national security personnel, who routinely create and add each other to such groups.

Threat 1: Malicious Contact Installation

Each time they create a new Signal chat group, they run the risk of messing up the group creation and inadvertently adding the wrong people to their group.

Rather than hacking Alice’s or Bob’s device, Eve needs only to get herself added to Alice’s contact list under the name “Bob”. If Eve can pull this off then, when Alice next creates one of these group chats, Eve will have a non-zero chance that Alice will add Eve rather than Bob to the group. In fact, if Alice has n “Bob"s in her contacts, then Eve’s probability of success may be around $$\frac{1}{n}$$

There are various ways Eve can get a fake “Bob” contact stored on Alice’s phone, especially when Alice and Bob are using their personal devices to access these groups.

The most obvious is Alice sharing a new contact card information, e.g. through AirDrop. This would be the inverse of the widely-reported “new phone, houthis” joke that has circulated since SignalGate first broke.

But even ChatGPT is quite happy to brainstorm various other possibilities.

Protecting Against Malicious Contact Installation

Finally, I should note that Signal’s Nickname feature can help guard against this threat. But taking advantage of its protection requires users to go out of there way in the name of security.

For this reason, we should expect this feature to offer relatively little protection against this threat in practice. After all, SignalGate arose only because the people involved chose to use Signal rather than approved government systems for their sensitive communications, prioritising their own convenience over security.

Boosters of Signal might recognise that Signal would be more secure of it offered protective features against this threat that didn’t come at the expense of user convenience.

But that will have to be the subject of another day.

If you’re interested in figuring out what those features might be, please get in touch.

Threat 2: SIM Swapping

Another way for Eve to achieve her goal without hacking Alice’s phone would be by attempting to impersonate Alice via a SIM swapping attack. Here Eve takes control of Alice’s phone number.

This attack is unlikely to succeed without leaving some traces; however. And Signal has some in-built protections against it. If Eve is able to take over Alice’s phone number, then Alice will be kicked off Signal and Alice will be notified that something is amiss. Bob will also get notified when he tries to message Alice or add her to a new group, telling him that Alice’s safety number has changed.

We should expect that a sophisticated adversary will be able to socially engineer their way around many of these obstacles. However, because it leaves obvious traces, this attack vector is unlikely to be preferred by secret intelligence services.

Protecting against SIM Swapping attacks

Besides safety number change warnings, Signal’s Registration Lock feature guards against SIM swapping attacks.

However, as with Nicknames above, it relies on people choosing to turn it on, and then being willing to keep it on and suffer the associated inconveniences that entails. For instance, with registration lock enabled, if you forget your Signal PIN you may need to wait 7 days before you can get back in.

Threat 3: Device Syncing

This threat was first reported by Google’s Threat Intelligence Group in February but has gotten an airing in the wake of SignalGate.

Here, Eve uses a phishing attack to get Alice or Bob to link their Signal account to Eve’s device.

Signal’s boosters have characterised reporting on this threat as FUD.

Yes, this threat doesn’t mean Signal’s cryptography is broken. Yes, this threat is not specific to Signal per se.

But its existence is absolutely a security weakness. Otherwise, it wouldn’t (as Google reports) be the “widely used technique underpinning Russian-aligned attempts to compromise Signal accounts”.

It absolutely is another vector by which Signal group chats discussing national security matters might be breached. Like the other attacks above, it might require less effort than device hacking; that it is being used in practice suggests that for some threat actors this is certainly the case. Indeed, Google notes in its report how they suspect this attack is already being used for Russian espionage.

Protecting against Device Syncing

There are fewer guards against this attack, beyond standard hardening guidance and vigilance. That doesn’t necessarily mean that more couldn’t be done to help guard against it by making design changes or implementing additional features in Signal.

Conclusion

None of these threats are necessarily specific to Signal. Indeed these threats may be worse for other secure messaging apps that include fewer protections than Signal does. I expect there are other threats as well. As always, secure messaging apps like Signal should not be used for exchanging sensitive government information.

Signal remains a best-of-breed secure messaging app. However, that doesn’t mean that it (and its ilk) do not have room to be made more secure, especially by focusing on things beyond cryptography, such as secure user interface design.

As I said above, if this is interesting to you, please get in touch.