Signal Messenger Vulnerability Allows Caller to Auto-Connect with Unaware Recipient

  • Signal vulnerable to an auto-answer exploit, which requires a modified client for the caller.
  • The attacker may activate the microphone of the target device without the recipient realizing it.
  • Signal fixed the flaw in a few hours with a patch to version 4.47.7, so users are urged to update immediately.

Natalie Silvanovich, a Google Project Zero researcher, has discovered a severe flaw in the Android client of the Signal Private Messenger, an app that is trusted by many as the most secure messenger in the world. The scenario of exploitation presupposes the failure of the recipient to answer a call on Signal, which then opens up the door for the caller to force an auto-connection to the call without any interaction on the other end. For this to work, the caller needs to use a modified Signal client, which sends a fake “connect” message, initiating a “handleCallConnected” procedure.

This activates the microphone on the target device, so the caller gets to listen to private conversations without the recipient realizing the fact. The video, however, isn’t accessible through this vulnerability, as the user will have to manually enable video on calls for that. On the iOS version of the messaging app, the auto-connect trick isn’t working because the exploitation procedure causes an error in the UI, following an unexpected sequence of states. So, it’s not a matter of superior security implementation in the iOS version of the app, but rather a matter of “saving the day” luck.

Silvanovich reported the bug to Signal developers, and they quickly confirmed the problem. Proving their accountability once more, it only took them a couple of hours to prepare and push a patch following the report. That said, if you haven’t upgraded to Signal version 4.47.7, you should do so immediately. In general, the researcher mentioned that due to the limitations in WebRTC, Signal has a large remote attack surface. This means that keeping it up to date is your best bet in remaining safe from prying ears.

The open-source Signal app remains our top choice when it comes to private communication, but it certainly isn’t the only available option out there. Other popular messaging apps that feature end-to-end encryption are WhatsApp, Viber, Facebook’s Messenger, Telegram, Skype, Line, Threema, KakaoTalk, Dust, Wickr, and many more. That said, if your trust to Signal has been irreversibly shaken, or if you just want to check out an alternative, you can pick one of the above.

Do you have something to comment on this story? Let us know of your opinion in the section down below, or on our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Recent Articles

Amazon’s 4th of July Deals 2020 – 30+ Hand-Picked Independence Day Deals on Tech Products (This Weekend Only!)

We hope that you’ve already planned your Independence Day weekend – no matter if you'll be surrounded by friends and family, or spending it...

Apple Is Working on Transparent Glass Keyboard Caps

Apple could introduce glass keycaps that display stuff from LEDs that reside underneath. These keys could change form and function as needed,...

How to Watch the ‘2020 Austrian Grand Prix’ Online – Live Stream F1

Formula 1 is finally back on the racetrack, and we are excited to start watching The Event online. Now that the F1 season is...

Offline Viewing Finally Lands on Amazon’s Windows 10 Prime Video App

The Windows 10 Amazon Prime Video app now allows local downloads for offline viewing. The app is enabling users to access over...

Brazilian Electric Power Company Extorted by REvil Ransomware Actors

“Light S.A.,” a Brazilian energy producer and distributor, has fallen victim to a REvil ransomware attack. The actors are demanding the payment...