Signal is a cross-platform centralized encrypted messaging service developed by the Signal Technology Foundation and Signal Messenger LLC. used by users to send one-to-one and group messages, including files, voice notes, images, and videos.

Security researchers made an interesting finding while using Signal apps across multiple platforms, as they discovered that when you or your contact reinstall the Signal app or switch over to a new device, the Signal safety number between you two may not always change.

This specific safety number is a feature helping users verify the security of their messages and calls with their contacts, and is typically expected to change when either party reinstalls the app or switches devices.

End-to-end encrypted messaging apps like Signal function by having a security feature called “safety number,” or a “security code,” that can sometimes be represented as a QR code.

This SN is shared between you and every contact you have on Signal. The Safety Number (SN) serves as the pair’s fingerprint and therefore helps both contacts to verify the privacy of their communications.

The SN is represented both in a human-readable numeric form and a QR code, and the expectation is that when a contact reinstalls the messaging app, switch to a new device, or change phone number, the safety number, and inherently the QR code, are expected to change.

The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal. However, if a safety number changes frequently or unexpectedly it may be a sign that something is wrong.

Source

Unfortunately security researchers Kelly KaoudisJohn JacksonSick Codes, and Robert Willis have discovered, when installing Signal on a new device and transferring their account over, the fact that the safety number for their contacts and them didn’t change.

The researchers went ahead and tested this behavior across multiple platforms that are currently supported by Signal, like Linux, OSX, Android, iOS, and Windows, and discovered that the safety numbers did not always change across these platforms when the Signal app was deleted and reinstalled, or when switching to a different device.

Mid-May, I got a new phone. At the time I understood that with any change to the device or installation of either party in a chat with message history, the Signal chat safety number changes.

This used to be but (following an involved email back-and-forth with the Signal team over the course of a month) is no longer reflected in the Signal support documentation.

Source

Since their report of this issue to Signal, the researchers state that the issue was mysteriously resolved, claiming that Signal rolled out patches that they believe were responsible for resolving the issue.

It’s worth noting that Signal has revised its support documentation:

The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal, but these actions don’t always result in a safety number change.

Signal declared for the journalists at BleepingComputer that no changes have been made to the source code that regards safety numbers.

The VP of Engineering for Signal, Jim O’Leary stated that any updates made recently were part of the normal maintenance updates, and explained why safety numbers may not change as expected in all circumstances.

Signal’s CEO, Moxie Marlinspike shed some light on the circumstances in which the safety numbers will not change:

In the same Twitter conversation, Marlinspike adds that the researchers’ report covers a case of Signal device transfer, followed by the cycling of linked devices.

However, when uninstalling or reinstalling Signal on an unlinked device, the Safety Numbers are supposed to change, and that “this is how it always worked and was supposed to work.”

If Signal patched any issues described in the report without announcing should be easy to find out given the fact that they are an open-source app, therefore their GitHub commit history would reveal the changes:git hub signal app

Source

With the original purpose of the safety numbers existence being to allow users to verify the security of their messages and calls with specific contacts, you should pay attention if the Safety Number between you and your contact changed, but not every single case of app re-installation or migration may lead to a safety number change.

2021.04.23 QUICK READ

Signal Exposes Major Cellebrite Vulnerabilities

Data encryption software cover image
2021.03.12 INTERMEDIATE READ

4 Examples of Data Encryption Software to Consider for Your Enterprise

Is Signal secure? article cover image
2021.01.19 SLOW READ

Is Signal Secure? An Analysis of its History, Encryption Protocol, and Privacy Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP