Signal App Compromised? Not So Fast…
Much has been written about the supposed compromise of Signal as a so-called ‘secure messaging app’, with some sources being a bit better than others on the matter. I’ve had a ton of questions about it over the past couple of days, and almost all of it doesn’t revolve around the issues with an app itself, but rather, the tradecraft errors behind using it.
First things first, almost everyone I come into contact with in the Liberty community, absent those with serious .mil backgrounds requiring at least a primer in tradecraft, have no idea what they’re actually doing. That statement is not meant to deride, far from it; its simply the truth. When it comes to communications, most are looking for a replacement: a methadone for a heroin addiction, if you will- to their incessant need for a phone. This is especially true when it comes to the instant gratification of messaging. I’m reminded of Russell Crowe’s line from a movie long since memory-holed, Body of Lies, saying “we just need al Saleem on the phone. Langley’ll do the rest.”
And they did.
Signal, as a software, does what it claims to do. On top of that, the source code for the app is open source and subject to anyone’s audit or modifications, should your skillset include the expertise in that area. And should you have that level of ability, you can even modify it to suit your needs running a code off the beaten path while still utilizing Signal’s network. It is end-to-end encrypted, after all. And what exactly does that mean? It means that the administrators can see that someone is accessing the network, but not what is being passed along it, much the same way that TOR actually works. Even with audio calls, the system does what it claims to do.
So let’s discuss the actual vulnerability in question.
According to documents filed by the Department of Justice and first obtained by Forbes, Signal’s encrypted messages can be intercepted from iPhone devices when those Apple devices are in a mode called “partial AFU,” which means “after first unlock.”
When phones are in partial AFU mode, Signal messages can be seized by federal authorities and other potentially hostile interests. GrayKey and Cellebrite are the tools typically used by the FBI to gain this sensitive information, an expert has explained.
“It uses some very advanced approach using hardware vulnerabilities,” said Vladimir Katalov, who founded the Russian forensics company ElcomSoft, believing that GrayKey was used by federal authorities to crack Signal.
So its not the app after all, but rather the hardware’s setting. A vulnerability which, since its a hardware exploit, likely applies to every messaging app. So tradecraft, or the lack thereof, is the heart. As per the usual. And the hardware in question is the hipster device of choice, an Apple iPhone. Shocker. But I thought Apple prided itself on user security?
Maybe at one point. But clearly no longer. Must be all that CCP money. And the real kick in the groin is that (shocker, again!) the FBI (or any other domestic security agency) can get into your phone without your handy little thumbprint. And just because they didn’t mention Android, don’t think its not every bit as vulnerable. It is.
So let’s talk about how to mitigate it.
First, understand the levels of data collected from cellular devices. I’ve discussed this ad nausem in the past. Your phone is constantly tracking you, no matter what you do absent putting it in an EMP bag, and if you cannot fully comprehend this reality then you’re really, really far behind the power curve. The lone answer is moving to using wi-fi only mobile devices for communications using open source apps. Wifi is common enough even in rural areas and if the technology is beyond you, so is your usefulness in a direct action cell.
Second, understand how to properly message people. The magic blanket of encryption may conceal our message but it neither conceals our presence nor our patterns of life- and in particular, who’s being messaged. This requires first discipline, and second, a pre-arranged (and trained on) code. One Time Pads work quite well, but a pre-configured Trigram or Brevity matrix works as well. On top of that, messages should be set to delete after a short period of time. Signal enables this, and if the message is important (it should be if you’re using Signal to send it), write it down. Clandestine messages are usually one-way as it is, requiring no overt response. Or if a response is necessary, respond through another backchannel (the same way I teach communicating on two different frequencies simultaneously in the RTO Course). Further, group messages of any more than two individuals is an instant non-starter. This violates even the most basic rules of clandestine cell organization and why Liberty groups feel the need to broadcast everything to everyone, I’ll never understand. Maybe you’ll learn one day. Domestic Black Sites are real.
Last, what you’re using as a so-called daily driver, ie your surface phone, is absolutely not used for this role. One of my own personal objections to Signal is and has always been the requirement of a phone number for registration. My Sudo allows us to bypass this by generating another phone number, but alternative apps such as Wire and Threema register via an email account…far, far better. And on that note you did install it on your own, absent Google play, correct?
So with that said, what do I think of this so-called ‘compromise’? It think its a smoke screen for CCP / Apple to keep their own compromise hidden in the details, as well as a smoke screen for disgruntled feminist intersectionalist IT workers behind the scenes at Signal unhappy that anyone other than AntiFa degenerates and washed up Agency Spooks would be using their app. For me, Signal is the C in my PACE plan- the ability to contact those using cell phones from my own wifi device, should the need arise. I don’t hang my hat on its ability outside my control. Neither should you. And the fact that a lot of people in this community do underscores just how behind the curve some of the louder voices really are. No matter what you’re doing, the correct answer is always using open source systems, have a PACE plan, follow the Moscow Rules and if there’s any doubt, there is no doubt.
Share This Story, Choose Your Platform!
6 Comments
Comments are closed.
Thanks for helping clarify some of this. Here on the ranch was -15F so indoor time to read about this. Couple of things helped me as I am a novice in terms of security hardware/software. From the goTenna forum which is a mesh messaging device:
“ I am not a employee of goTenna. Your message here gets it where they can view it.
Tactical grade encryption is neither good or bad. It simply reflects the fact that all encryption systems are subject to attack and being broken. The amount of resources, skills and time required to break them varies.
Tactical grade means that the system is secure enough for day to day use. Even if broken, it will take enough time that the facts revealed will no longer have much relevance. For example, where you’re at and what you’re doing might provide info to your disadvantage if it was transmitted in the clear today. Tactical grade encryption makes sure the key is long and complicated enough that time will pass to the extent that action could no longer be taken based on the info revealed if decrypted. In most cases, even state level actors would be slowed or stymied in using such info if protected by tactical grade encryption.
High level (or strategic) encryption has keys and other attributes that could take years and/or require high level resources (like extended/extensive processing power on computers) typically used by nation-state actors to successfully attack. This tends to discourage even mounting such attacks unless there is other info pointing toward its value.
Users of secure systems should never make the mistake of thinking that the immediate security provided is eternal. It’s not. Even if difficult or impossible to currently break, there are always new approaches to breaking codes, so that recordings of encrypted data can be mined later in case that is necessary. If there is something embarrassing, indictable, or troublesome you would not want revealed, then you should think very carefully about discussing it even on relatively secure systems. Only the user can make those choices, so it’s good to keep that in mind when you communicate. A secure system is not a Get out of Jail Free card, so don’t communicate over it like it is or you may regret it.”
Have been using goTenna for messaging on the ranch and with relay nodes (mountain area) will sprread it to other nearby ranches. Itself uses 384 bit encryption.
Interestingly on the goTenna forum there are some threads discussing integration of goTenna with Signal. Need to try to wade thru that today with the idea that by merging goTenna and Sugnal plus using disappear messaging we move from tactical to higher level encryption
Harsh, but true. Keep them coming.
Ok how does one expel Google from an android???
Root the phone. I talked about this in Radio Contra 46.
I’m working on building a pbx/sip server behind a tight firewall on the internet, only accessible via VPN to the firewall, with encryption keys.
Running FreePBX & creating “internal” extensions that a IP/SIP Phone or ATA can connect to remotely from anywhere & place phone calls to other “internal extensions”, complete with voicemail boxes & all. I realize this can’t be utilized for everyone, but it’s a project I’m working on for our group & maybe a few others. Anyone with the tech knowledge can set this system up.
Basically, internet traffic looks like a SSL connection to a banking site. VPN tunnel, VoIP traffic passes thru the tunnel & able to ring other local extensions on the same server. Kind of a dead drop of sorts.
Anywho, I heard a lot of hype over Signal & saw that the core was physical hardware access/vulnerabilities & not necessarily the software itself. I think it’s a coordinated attack to get some of us off & on to other less secure platforms. But like you said, Signal shouldn’t be our primary in our clandestine comms plan anyhow.
[…] though there has been a lot of hubbub about Signal being compromised, this only happens if your phone is taken from you and an incredibly powerful code-breaking […]