Signal, a security-focused messaging application, has been updated to address a vulnerability that could automatically initiate a call with someone else.
Through the breach, an attacker could initiate calls to capture the victim's ambient sound, recording conversations, meetings, and any other noise.
The flaw was discovered by security researcher Natalie Silvanovich. She works at Google Project Zero, a team that specializes in hunting through any popular product or application, even if it's unrelated to Google.
The issue was fixed in Signal version 4.47.7, released the same day that the issue was reported by Silvanovich. Anyone who has installed this version or later is immune to attacks based on this flaw.
In practice, the problem existed only in the version of Signal for Android. Although the iOS (iPhone) app also has vulnerable code, certain differences in the app's interface eventually prevented the error from being exploited by an attacker.
However, the breach is very similar to an issue that was fixed by Apple in January on FaceTime, the iPhone's exclusive app for voice and video calling.
According to Silvanovich, a logic error in Signal may allow an attacker to force an unanswered call to be initiated without authorization from the recipient of the call.
The call would not be answered immediately. However, if the victim did not notice the phone calling or vibrating – which may happen with the device in the silent, for example – remote audio recording could occur without alerting the call recipient.
As a result, the victim's cell phone became a "listening device" activated by the intruder.
Failure exploitation is not difficult. The hacker only needs to modify his own version of Signal to send a "connected call" command even before the call is answered by the recipient. Since Signal is an open source program, it is not difficult to modify the software to perform this function.
WhatsApp Adapted Signal Technology
Signal is maintained by Open Whisper Systems and its main focus is on communications security. Although not as well known as WhatsApp or Telegram, Signal's cryptographic technologies have been adapted by Facebook and integrated with WhatsApp.
All WhatsApp users therefore indirectly use a part of the privacy technology developed for Signal. However, unlike WhatsApp, Signal sets aside certain features to reduce the possibility of failures and keep its focus on security.
As a security-focused application, Signal is widely used by people who need to ensure the privacy of their communications.
Failures in applications used by this group of people are always worrying as they expose those who care most about their security.
Security, hacking and virus questions? Send to firstname.lastname@example.org
Stamp Altieres Rohr – Photo: Illustration: G1