Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Signal is a cross-platform centralized encrypted messaging service developed by the Signal Technology Foundation and Signal Messenger LLC. used by users to send one-to-one and group messages, including files, voice notes, images, and videos.
Security researchers made an interesting finding while using Signal apps across multiple platforms, as they discovered that when you or your contact reinstall the Signal app or switch over to a new device, the Signal safety number between you two may not always change.
This specific safety number is a feature helping users verify the security of their messages and calls with their contacts, and is typically expected to change when either party reinstalls the app or switches devices.
End-to-end encrypted messaging apps like Signal function by having a security feature called “safety number,” or a “security code,” that can sometimes be represented as a QR code.
This SN is shared between you and every contact you have on Signal. The Safety Number (SN) serves as the pair’s fingerprint and therefore helps both contacts to verify the privacy of their communications.
The SN is represented both in a human-readable numeric form and a QR code, and the expectation is that when a contact reinstalls the messaging app, switch to a new device, or change phone number, the safety number, and inherently the QR code, are expected to change.
The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal. However, if a safety number changes frequently or unexpectedly it may be a sign that something is wrong.
Unfortunately security researchers Kelly Kaoudis, John Jackson, Sick Codes, and Robert Willis have discovered, when installing Signal on a new device and transferring their account over, the fact that the safety number for their contacts and them didn’t change.
The researchers went ahead and tested this behavior across multiple platforms that are currently supported by Signal, like Linux, OSX, Android, iOS, and Windows, and discovered that the safety numbers did not always change across these platforms when the Signal app was deleted and reinstalled, or when switching to a different device.
Mid-May, I got a new phone. At the time I understood that with any change to the device or installation of either party in a chat with message history, the Signal chat safety number changes.
This used to be but (following an involved email back-and-forth with the Signal team over the course of a month) is no longer reflected in the Signal support documentation.
Since their report of this issue to Signal, the researchers state that the issue was mysteriously resolved, claiming that Signal rolled out patches that they believe were responsible for resolving the issue.
It’s worth noting that Signal has revised its support documentation:
The most common scenarios where a safety number advisory is displayed are when a contact switches to a new phone or re-installs Signal, but these actions don’t always result in a safety number change.
Signal declared for the journalists at BleepingComputer that no changes have been made to the source code that regards safety numbers.
The VP of Engineering for Signal, Jim O’Leary stated that any updates made recently were part of the normal maintenance updates, and explained why safety numbers may not change as expected in all circumstances.
Signal’s CEO, Moxie Marlinspike shed some light on the circumstances in which the safety numbers will not change:
>
It doesn’t seem like you did. You tried (and reported) installing on a new device using Signal device transfer, and you tried cycling a linked device. These do not result in SN change notifications, because the underlying key material has not changed, so there is nothing to warn.
— Moxie Marlinspike (@moxie) June 5, 2021
In the same Twitter conversation, Marlinspike adds that the researchers’ report covers a case of Signal device transfer, followed by the cycling of linked devices.
However, when uninstalling or reinstalling Signal on an unlinked device, the Safety Numbers are supposed to change, and that “this is how it always worked and was supposed to work.”
If Signal patched any issues described in the report without announcing should be easy to find out given the fact that they are an open-source app, therefore their GitHub commit history would reveal the changes:
With the original purpose of the safety numbers existence being to allow users to verify the security of their messages and calls with specific contacts, you should pay attention if the Safety Number between you and your contact changed, but not every single case of app re-installation or migration may lead to a safety number change.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.
