Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location.
The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID.
About the vulnerability
The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by Signal for voice and video communication must discover a valid connection path for the local (the calling party) and remote peer (the called party) to communicate.
While doing that, it makes a DNS request and reveals the DNS server the phone automatically connects to.
While the DNS server information cannot tell the caller where exactly the callee is located as it offers just coarse location data, according to Wells, “in instances such as Google Public DNS (126.96.36.199/188.8.131.52) and others, this attack can narrow the location down to the Signal user’s city due to usage of EDNS Client Subnet.”
Most importantly, the information can be gleaned even if the called party does not answer the call, meaning that the called party can’t prevent a threat actor from placing the call, hanging up before they answer, and collect the DNS server info.
Doing so many times during the day and for weeks would allow the threat actor to build a profile of frequent DNS servers the app uses as the called party moves from home, to work, to a coffee shop, and so on.
While this may not be a problem for average users, one can see how certain users like journalists, activists, dissidents, or even victims of stalkers could be affected by malicious actors being able to know, at any time, their general location.
Luckily, Signal has already pushed out updated versions of Signal for Android (v4.59.11) and iOS (3.8.4) that fix the problem, so users can update their apps immediately.
If updating is impossible, Wells advises using a mobile VPN app that tunnels DNS traffic.
About Signal PINs
By setting up and using a Signal PIN, users will be able to save (backup) important data (e.g., profile, account settings, contacts, block list) that they might lose if their phones get lost, stolen or destroyed. This will also allow users to easily migrate their Signal data when they switch phones.
The data will be encrypted and saved on Signal’s servers, but won’t be accessible to Signal because they don’t know the users’ PIN.
It’s also important to point out that the saved data does not include Signal conversations.
Signal PINs can also serve as an optional “registration lock” – an additional protection against Signal account hijacking.
Finally, as this mechanism “will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts.”
Users can change their PIN and switch on the Registration Lock through the app’s privacy settings. More information about Signal PINs can be found here.