MIAMI–Markus Vervier and Jean-Philippe Aumasson have spent the past six months poking security holes in the end-to-end encryption protocol Signal, all
MIAMI–Markus Vervier and Jean-Philippe Aumasson have spent the past six months poking security holes in the end-to-end encryption protocol Signal, all on their free time. And they have been successful in privately disclosing more than a half-dozen flaws, most of which have been patched.
“Signal is one of the most secure messaging platforms. But our research shows that even the most secure things still have bugs,” said Vevier, who joined Aumasson during a talk Friday at the Infiltrate Conference.
The short version of their talk was that no company should ever rest on their security laurels and Signal is no exception. “Signal has a huge code base, which is largely under-analyzed,” Aumasson said. “Protocol implementations have room for improvement.”
Signal is one of the most popular and trusted end-to-end secure messaging apps. The encryption protocol was developed by Open Whisper Systems and is used by millions. It can be found in Signal’s own app and is also used in WhatsApp and Facebook’s Messenger “Secret Conversation” mode, and Google’s Allo encrypted messaging service.
Aumasson and Vervier discussed past vulnerabilities, including those found in the Signal Android client and in the underlying Java libsignal library. Then both showed how each of these bugs can be used to crash Signal remotely, bypass the MAC authentication for certain attached files, and how to trigger memory corruption bugs.
For its part, Open Whisper Systems has supported their work and when appropriate, it has fixed the most serious bugs found by the two, according to Vervier. Their most high-profile bug was found in September when the two figured out a way to corrupt attachments sent via the Signal Messaging App.
In other cases, more trivial bugs have not been patched. Researchers say Signal has told them some of their bugs are too benign and obscure and don’t need to be fixed. “They tell us the attack model, from their standpoint, is not realistic,” Vervier said.
But both researchers disagree. A bug, as impractical as it may be to execute, is still a bug.
“We haven’t found any glaring security holes. But we have found a lot of non-critical vulnerabilities some might call imperfections. Nevertheless, we would like to show that there are ways Signal can better protect their users,” said Vervier.
In another demo of a bug found two weeks ago, the researchers showed how a malicious Signal user could surreptitiously send invalid public keys to other users. “An attacker who knows that the public key is invalid could decrypt one message, but only in a far-fetched scenario,” Aumasson explained.
“In the cryptographic mechanism used here (a variant of the Diffie-Hellman key agreement, a widely used technique to establish session keys also used in TLS), public keys must satisfy certain criteria in order to be secure. If these criteria aren’t satisfied, the session keys established through that mechanism become predictable to an attacker.
“The lack of key validation (i.e. the verification that public keys are not invalid) is therefore not a major security risk. But I believe that validating keys would make Signal even more secure and robust against maliciously or accidentally invalid keys,” the researchers explained.
Signal told the researchers, that this is not a threat, because if a party is malicious then they could do even more harm than just sending invalid public keys.
A big part of keeping Signal safe is also acknowledging the attack surface extends to vulnerabilities in both Android and iOS that weaken the platform – albeit indirectly. Signal is not an island unto itself. It is part of a security ecosystem that includes Android and everything that Signal touches, said Vervier.
“Even if Signal were 100 percent secure, all the components that are connected to it are very shaky,” Vervier said during his session.
In one example, researchers sent an SVG image file with a malformed value to an Android Signal app. When the recipient opened the image, the device crashed. To blame were vulnerabilities in the Android media libraries. “This is not Signal’s responsibility to fix, but it should be somebody’s responsibility. It just weakens the Signal platform,” Vervier said.
Both researchers acknowledge the attack surface of Signal remains small. But they argue, if in just six months – on their free time – they were able to find a wide range of bugs.
“We don’t see why Signal can’t address some of these flaws. I’m guessing it’s not going to cost them anything,” Vervier said. “If it’s weak, it should be fixed and users should know about it. I’m sure we aren’t the only ones trying to figure out how to break Signal.”