Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new hacking campaign, according to TechCrunch.
On Wednesday, Washington Post analyst Josh Rogin posted a screenshot of a new kind of attack against Signal users, where hackers pretend to be the app’s support team and warn the target that their backed-up chats and media are “at risk of permanent loss due to a sync issue.” To avoid this, the message said, the target must share the recovery key used to access their online backups in conversation with the hackers.
“This links your existing backup to your account. If you don’t do this, you may lose access to your account and all saved data,” read the message purporting to be from an account called Signal Support.
Rogin said several anti-China Communist Party activists have received this malicious message.
Mohamed Al-Maskati, director of Access Now’s Digital Security Helpline, which investigates cyberattacks against journalists, dissidents and human rights activists, told TechCrunch that two people shared similar messages with him. Al-Maskati said the two are not Chinese activists. This suggests that the hacking campaign could be more widespread and target other communities, or there could be different groups of hackers using the same strategy.
It is unclear how effective the hacking campaign was. Al-Maskati said that stealing the victim’s recovery keys for chat backups is only one step in the attack, and that the hackers still need to gain access to the victim’s account.
Generally, this type of attack relies on phishing targets, which means tricking them into sharing some important and private information with hackers. In this particular case, hackers pretend to be Signal’s support team to exploit the target’s trust in the app and the organization behind it.
It is important to note that Signal he says “will never reach” users first and he will never ask for your registration code, PIN or recovery key. This means that any chat pretending to be from “Signal Support” is actually from malicious hackers. The organization has publicly warned for exactly this type of attack last month.
Contact us
Do you have more information about these attacks against Signal users? Or other similar attacks? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
While there have been several hacker campaigns impersonating Signal’s support in recent months, this is a new type of attack because it targets specific backups, which may contain a victim’s past chats, photos and documents.
Previous hacking campaigns targeting Signal users have attempted to hack into a victim’s account and then impersonate them, often with the possible goal of stealing the victim’s contacts or starting conversations with other people as if they were the account owner. In these cases, hackers do not have access to previous messages, as the attacks rely on rewriting the victim’s account on a device they control. Because of the way Signal is designed, older messages don’t show up on the new device.
Hackers can take over Signal accounts, for example, by stealing someone’s phone number. However, Signal offers security features that protect against this attack, such as Registration lockwhich prevents attackers from linking a target’s number to a new device unless they steal the target’s PIN.
In this scenario, one way to view older messages would be to access the victim’s online backup, which requires the recovery key.
Last year, Signal released secure backupsa new option that allows users to upload their account contents to Signal’s servers, which are encrypted with a recovery key that the organization says is “never shared with Signal’s servers” and “never leaves” the users’ device. Slogan he says Users should store the recovery key safely in a notebook or password manager.
“Without the unique recovery key, no one (including Signal) can read, decrypt or restore any of the data in your Secure Backup Archive,” Signal said.
This means that only the user can access their file in a scenario where they register their account on a new phone, download the encrypted backup from Signal’s servers, and then decrypt it with the recovery key.
Signal did not respond to a request for comment.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
