One of the things we consistently teach in classes is that what is a good solution today may not be tomorrow. The tech landscape—and by default, the threat landscape within it—is constantly changing. It’s our job to stay on top of those changes, so we can make the necessary adjustments to how we operate and stay ahead of the curve. Today it was announced that Signal, one of the best apps out there for ‘secure comms’ (nothing is completely secure) has been found to have certain vulnerabilities in it. For the detailed techie description of those vulnerabilities and how they were found, you can look at this article. For the basics, read on:
One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely execute malicious code on the targeted device.
Before you run to Google Play and update, however, note that the update isn’t available anywhere but Github at the moment. The developers are working on getting it into the Google Play store, and it should be available soon. Meanwhile, Open Whisper Systems—the company who makes Signal—had this to say:
“This was a really great bug report, but we consider its impact to be low severity at this time. It does not allow an attacker who has compromised the server to read or modify attachments, only to append a *minimum* of 4GB of unpredictable random data to the end of an attachment in transmit,” Moxie Marlinspike, Founder of Open Whisper System said.
“While that causes a denial of service, effectively corrupting a file in an unpredictable way and making it too large to open on any Android device, an attacker that has compromised the server could more easily deny service just by blocking your request for the attachment.”
The good news is that the problems are fixable (and if you know how to use Github, you can get the patch), and as the researchers who found the problems stated:
“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson said. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”
What does this mean to you, the Signal user? Here’s what you need to do:
- If you don’t understand Github and you are using Android, then stop using Signal for sensitive communications until there is an update on the Google Play store. (Maybe use Unseen instead.)
- Read the technical description of the vulnerabilities. If you find a word you don’t understand, look it up. You’re not going to learn or get any better unless you get WHY and HOW things work.
- Pay attention to when that update drops. I would guess it’ll be within the next week or so. When it does drop, get on it. Immediately.
- Moving forward, consistently pay attention to what you’re using for digital communications. What is its state? Is it safe? What are the reported issues with it? Use best practices.
Signal is still one of the best solutions out there. We just need to stay on top of things so that when it changes, we can adapt.