- Signal vulnerable to an auto-answer exploit, which requires a modified client for the caller.
- The attacker may activate the microphone of the target device without the recipient realizing it.
- Signal fixed the flaw in a few hours with a patch to version 4.47.7, so users are urged to update immediately.
Natalie Silvanovich, a Google Project Zero researcher, has discovered a severe flaw in the Android client of the Signal Private Messenger, an app that is trusted by many as the most secure messenger in the world. The scenario of exploitation presupposes the failure of the recipient to answer a call on Signal, which then opens up the door for the caller to force an auto-connection to the call without any interaction on the other end. For this to work, the caller needs to use a modified Signal client, which sends a fake “connect” message, initiating a “handleCallConnected” procedure.
This activates the microphone on the target device, so the caller gets to listen to private conversations without the recipient realizing the fact. The video, however, isn’t accessible through this vulnerability, as the user will have to manually enable video on calls for that. On the iOS version of the messaging app, the auto-connect trick isn’t working because the exploitation procedure causes an error in the UI, following an unexpected sequence of states. So, it’s not a matter of superior security implementation in the iOS version of the app, but rather a matter of "saving the day" luck.
Silvanovich reported the bug to Signal developers, and they quickly confirmed the problem. Proving their accountability once more, it only took them a couple of hours to prepare and push a patch following the report. That said, if you haven’t upgraded to Signal version 4.47.7, you should do so immediately. In general, the researcher mentioned that due to the limitations in WebRTC, Signal has a large remote attack surface. This means that keeping it up to date is your best bet in remaining safe from prying ears.
The open-source Signal app remains our top choice when it comes to private communication, but it certainly isn’t the only available option out there. Other popular messaging apps that feature end-to-end encryption are WhatsApp, Viber, Facebook’s Messenger, Telegram, Skype, Line, Threema, KakaoTalk, Dust, Wickr, and many more. That said, if your trust to Signal has been irreversibly shaken, or if you just want to check out an alternative, you can pick one of the above.