One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely crash vulnerable devices.
The vulnerabilities have just been patched, but the updated version of Signal is yet available on the Github open source repository, and not on the Google’s official Play Store for Android apps, leaving millions of privacy conscious people vulnerable to attacks.
Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specifically designed for Android and iOS users to make secure and encrypted messages and voice calls.
The flaws in Android version of Signal includes:
- Message authentication-bypass vulnerability
- Remote crash bug
The Message Authentication-Bypass Flaw in Signal
Researchers Jean-Philippe Aumasson and Markus Vervier have discovered the message authentication-bypass vulnerability while reviewing the Java code used by Signal for Android.
The vulnerability is not easily exploitable. Only the attackers with the ability to compromise a Signal server or monitor data passing between Signal users (Man-in-the-Middle attack) would be able to append pseudorandom data to the legitimate attachment.
Actually, as a part of standard encryption schemes, encrypted messaging services make use of Message Authentication Code (MAC) to authenticate a message — in other words, to confirm that the message came from the sender has not been changed in transit.
However, in the case of attachments, Signal does not verify the authenticity of the entire file; instead it just checks a small portion of it, making it possible for hackers to attach pseudorandom data to the legitimate attachment that wouldn’t be detected by the MAC.
For a successful attack, an attacker could make use of Signal’s file compression feature to reduce the size of his malicious attachment to a manageable 4 megabytes.
While talking to Ars Technica, Aumasson said he found the integer overflow bug in the following line of code:
int remainingData = (int) file.length() – mac.getMacLength();
- The value ‘file.length()’ is a number encoded on 64 bits (of type ‘long’).
- The receiving variable ‘remainingData’ is a number encoded on 32 bits (of type ‘int’).
“Therefore, when ‘file.length()’ is longer than what fits in a 32-bit number, the value of ‘remainingData’ (the number of bytes left to process) will be incorrect, as it will be much smaller than the real size of the file,” Aumasson explained. “Consequently, a large part of the file will be ignored when Signal will verify the cryptographic authenticity. Signal will only check the (small) beginning of the file, whereas the user will actually receive the much larger file.”
Although Signal uses end-to-end encryption to encrypt the messages on the sender’s device and decrypt it only on the receiver’s end, the encrypted messages still pass through a server, allowing attackers to carry out the message authentication bypass attack by hacking or impersonating as a server and then tampering with legitimate message attachments.
While the attack is trivial to carry out, it is not too difficult for state-sponsored attackers to impersonate as a trusted certificate authority (CA) or trick victims into installing a rogue certificate on their devices and, thereby, successfully circumvent transport-layer security (TLS) protections.
Moreover, Since Signal has been used by a large number of security professionals and privacy advocates, the app has always been on the priority list of nation-state actors. Although, it seems like they are not likely to exploit this kind of flaw.
“This was a really great bug report, but we consider its impact to be low severity at this time. It does not allow an attacker who has compromised the server to read or modify attachments, only to append a *minimum* of 4GB of unpredictable random data to the end of an attachment in transmit,” Moxie Marlinspike, Founder of Open Whisper System said.
“While that causes a denial of service, effectively corrupting a file in an unpredictable way and making it too large to open on any Android device, an attacker that has compromised the server could more easily deny service just by blocking your request for the attachment.”
The second flaw discovered by the researchers could allow attackers to remotely execute malicious code on the victim’s device, while the third one makes it possible for attackers to just carry a simple remote crash.
The researchers privately disclosed all the vulnerabilities to Open Whisper System on September 13, and the company has already issued an update on Github, though it still has to appear on Play Store.
“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson said. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”
Aumasson and Vervier are now testing the same bugs in WhatsApp and Facebook Messenger that also relies on Signal code.