Popular messengers claim that nobody can read your private correspondence and it is safe to use them. But can it be true? A digital safety consultant, Nikolai Kostianin tried to find it out for us.
After hacking Telegram-accounts of Russian oppositionists by gaining the sms confirmation code by a third party, we decided to make an experiment and find out if secure messangers like Signal, WhatsApp and Telegram are protected against such a kind of attacks. Considering the results of the experiment, we will offer some pieces of advice how to protect user accounts.
We understand stealing the account as gaining access to a victim’s account by the attacker or at the same time with the victim (both will have active sessions), or instead of the victim. Thus, the violator has registered/activated/logged in Signal, WhatsApp or Telegram on your behalf and can write messages or call other users using your account.
So, if the violator will be able to get messages instead of the account owner or simultaneously with him, then:
- Will he be able to steal the user’s account in Signal, WhatsApp or Telegram connected with the same phone number?
- Can the user prevent stealing his account by built-in devices?
- What kind of information will be available to the attacker (contacts, correspondence, call history)?
- Will the victim get to know that his/her account is hacked?
- If the attacker writes something on the victim’s behalf, will his/her interlocutor be able to guess that the account is stolen? Or that something went wrong?
Here you can see the results of the experiments:
“Secure” messengers: if the attacker gets control over user’s messages:
In our experiment we used a smartphone Google Nexus 5x Adnroid 6.0.1, Nokia 1280 to get a message and iPhone 4s iOS 9.3.1.
The violator gets message access and steals the account
At first, it is important to understand what you need to authorize: an active SIM card in the device at the moment of authorization or gaining access to message content by any means manually entering the confirmation code.
So, the attacker has already set up all the messengers on his smartphone, but he doesn’t have the victim’s SIM card in his phone. The Sim card is in Nokia 1280.
The attacker enters the victim’s mobile number and tries to log in the app.
WhatsApp allows entering the confirmation code received in a Nokia message manually and the attacker successfully hacks the victim’s account.
Telegram allows entering the confirmation code manually and the attacker successfully hacks the victim’s account.
Telegram with two-factor authentication, allows entering the confirmation code manually and the attacker successfully hacks the victim’s account (more details at inefficient two-factor Telegram authentication).
Signal does not allow entering the confirmation code manually on Android, but you can do it on iOS (read below). On Android the app requests the automatic support of SMS code or by a call. But if you try to send the received message from Nokia to Android, Signal won’t decode such a message.
If the attacker can receive the victim’s call, a robot will dictate the confirmation code, and Signal on Android will suggest entering the code manually. Thus, Signal on Android will not allow entering a confirmation code from a message manually, but the attacker can do it entering the code dictated by a robot.
If the attacker can’t receive a call, there is another option: trying to do it on iPhone instead of Android: Signal on iPhone allows to enter a code manually and the message looks differently:
For this purpose we needed iPhone. Further in the conducted experiment we used Android because of its convenience (we registered by a call on Nokia 1280).
As a result, if messengers have default settings, if the attacker gets access to the victim’s message, he can steal any user account of any messengers. Besides, he doesn’t even need a SIM card with victim’s phone number, the only thing he needs is the confirmation code from the victim’s message, which he can enter manually in a messenger.
What kind of information will be available to the attacker?
- WhatsApp: no information, empty account.
- Telegram: all contacts from normal chats, all correspondence from normal chats. But he can’t get anything from private chats.
- Telegram (if two-factor authentication is on): no information, empty account.
- Signal: no information, empty account.
Will the victim get to know that his/her account is hacked?
WhatsApp: the victim can see a notification that it is “impossible to verify the phone”, as this phone number was registered on other device. In WhatsApp only one device can be registered (activated) simultaneously (except its web-version because it is a separate system entrance).
WhatApp will offer the victim to verify, that is to activate the app on his/her phone again. In the victim is able to get messages on his/her phone, it will be able to verify, in that case, the attacker will be logged out from the system (the account on his phone will be deactivated). The attacker can not use this account simultaneously with the victim:
Telegram: the victim can see the notification about his/ her account being used on a different device, the instructions how to end Telegram-session at the attacker’s device and also a proposal to turn on two-factor authentication. Before it the victim will also get an entrance code, as when entered on another device Telegram sends a service notification with the code to other devices, and only then (if one presses «Didn’t get the code?»), the code will be send by a message:
Telegram, if two-factor authentication was on: the victim sees the app the same as it was after downloading. A welcome screen tells you about the app and offers you to register or log in your account:
Signal: the victim will not notice anything, but he/she will not be able to send messages. Trying to send a message the victim will see an error notification:
Clicking the tap for details, the victim will not find any explanation why the message can’t be sent. «Failed to send» and that’s it. Moreover, a button «RESEND», which simply does not work, may only confuse the victim:
Signal as well as WhatsApp allows to register only one app per one phone number (except web-version, it is a “connected” device, not a separate main entrance into the system), you can read about it at the developer’s web-site.
Thus, when the attacker steals victim’s account, Signal stops working (it becomes “offline”) but it doesn’t inform the victim about it (unlike WhatsApp), instead the victim will see “error” trying to send a message. These errors are similar to those when the user has no Internet access.
For comparison: if the WhatsApp user got his account stolen he would not see his chat correspondence, contacts, call history – nothing except the sentence “VERIFY”. The user could find this situation the same as if he had just downloaded WhatsApp on his device. If Telegram user with two-factor authentication got his account stolen, he has the same situation: as if he had just downloaded Telegram on his device.
If Signal user got his account stolen, he could still activate his app, look through his correspondence, contacts, settings, write new messages and without any result try to send them.
The attacker writes something on the victim’s behalf, will his/her interlocutor be able to guess that “something is wrong”?
WhatsApp: using default settings the interlocutor won’t notice anything. But if the interlocutor clicks «Show security notifications» (Settings => Account => Security => Show security notifications), in the same chat he will see that his interlocutor has changed “security code”:
If the interlocutor clicks on this message, he will see more details – that maybe the interlocutor reloaded the app on his phone or changed the phone; and also he will be offered to verify a new app of his interlocutor:
Telegram: the interlocutor will just see one more private chat. He may got concerned about it and may not: it is quite a usual situation for Telegram, when the same interlocutor creates a new private chat, he can have a lot of them. The interlocutor won’t get any special notification about this occasion:
Telegram, if two-factor authentication was on: the interlocutor would see that the victim registered in Telegram again (joined Telegram). Later, in 12-16 hours a notification «Deleted Account» could be seen in previous chats:
Signal: the interlocutor will see a notification about receiving a message with an unknown identity key in the same chat. To read the received message, he will need to click the notification:
When the interlocutor clicks the notification, the system will make him verify a new key or just believe it and accept it without any further check. As a rule, most users do the same: they just accept a new key without any check.