back to article 1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers

The security breach at Twilio earlier this month affected at least one high-value customer, Signal, and led to the exposure of the phone number and SMS registration codes for 1,900 users of the encrypted messaging service, it confirmed. However, Signal – considered one of the better secured of all the encrypted messaging apps …

  1. Doctor Syntax Silver badge

    How do you choose a Cloud Security Provider?

    Really?

  2. Anonymous Coward
    Anonymous Coward

    As Wikipedia would say…

    > Signal – considered one of the best secured of all the encrypted messaging apps

    By whom? I certainly don't consider a platform where I can be looked up by anybody in a position to know my phone number to be "secure" in any way that is useful to me.

    I note that, cleverly, they don't make any explicit claims to the effect of being "most secure". I only hear that from journalists and people repeating what they read on the news.

    I would ordinarily suggest to provide a source for the claim that it is "one of the best secured of all the encrypted messaging apps". But that is logically true (there is even an XKCD about things being "one of the <insert superlative>").

    (Totally expect down votes for pointing out that the emperor has no clothes)

    1. Doctor Syntax Silver badge

      Re: As Wikipedia would say…

      I think your downvotes might be for not having researched how it actually works.

      1. Anonymous Coward
        Anonymous Coward

        Re: As Wikipedia would say…

        > I think your downvotes might be for not having researched how it actually works.

        I think you might be rather mistaken.

        Feel entirely free to enlighten me though, as an activist in the Catalan independence movement (though not a Catalan myself) I have a vested interest in the matter and I'm all ears. :)

        1. Anonymous Coward
          Anonymous Coward

          Re: As Wikipedia would say…

          Could it be the case that some folks think you are incorrectly conflating security and anonymity?

          1. Anonymous Coward
            Anonymous Coward

            Re: As Wikipedia would say…

            > incorrectly conflating security and anonymity

            Oh, that's a novel one. I hadn't heard that one before from the Signal fanboys club.

            1. ThatOne Silver badge

              Re: As Wikipedia would say…

              Yet it is true. "Anonymity" = people not knowing who you are, "security", as Signal understands it, = two persons can exchange messages nobody else can snoop upon. Those can be totally legit messages (lawyers, journalists, top managers, a lot of people have the need to keep totally legal secrets).

              If you've got my phone number you can see I'm on Signal, which doesn't bother me the least, much like it probably doesn't bother you if people know you're on some social media. I'm not using Signal to hide, but to communicate in a private manner.

              Now if you're trying to remain invisible to the authorities, you wouldn't want to use any networked device anyway. No phone (of any description), no Internet, nothing. As already stated, Signal is not an anonymity tool, it's an encrypted communications tool.

              1. Anonymous Coward
                Anonymous Coward

                Re: As Wikipedia would say…

                > Yet it is true

                I know that very well.

                > Now if you're trying to remain invisible to the authorities, you wouldn't want to use any networked device anyway. No phone (of any description), no Internet, nothing.

                That is precisely my point.

                > Signal is not an anonymity tool, it's an encrypted communications tool.

                Like every other instant messenger out there nowadays.¹ Yet this one is hailed as being somehow "more secure" than say WhatsApp, when it's pretty much the same thing, save that Facebook use their own servers as opposed to AWS. If anything, as a non US person I'd probably go with something like Wire if I had a need for this kind of thing. And even that is inadequate.

                It pains me that I see people almost every month thinking that they can magically be safe from threat to their liberty by using this crap, misled by what they read online and signal's irresponsible attitude in failing to set the record straight as to the limitations of their product.

                > to communicate in a private manner.

                I'd change that to "end to end encrypted manner" if I were you. Meaningful privacy takes a lot more than that. Starting with not grabbing my phone number for no good reason at all.

                Anyway, your points are valid and you're trying to be helpful.

                ¹ cue the fanboy club taking the "but telegram groups are not encrypted by default" / "you can disable E2EE in XMPP” card out of their Rolodex (you can also send and receive unencrypted SMS via signal).

  3. Anonymous Coward
    Anonymous Coward

    How can be…

    …something where your phone number is your ID be presented as a tool suitable for use by such people as whistleblowers and dissidents?

    What's worse, I understand that it *requires* you to have it installed on a mobile phone for it to work, even though (so I understand) there is also an Electron (yes, Electron) client available. A mobile phone is almost by definition an eavesdropping device, for Torvalds sake!

    1. Doctor Syntax Silver badge

      Re: How can be…

      You do realise, don't you, that a burner phone can be used for registration? Viewing the YT videos on how to do this might be educational.

      1. Anonymous Coward
        Anonymous Coward

        Re: How can be…

        > a burner phone can be used for registration?

        As respectfully as I can muster, you do realise that that is a remarkably idiotic proposal, do you?

        Burner phones can be used, but the logistics are non trivial (beyond the practical means of one individual), they're still traceable to someone in the end, and then it's only a matter of pulling the thread. It has been done, but then you might as well use WhatsApp, or telegram, or a private XMPP server, or a matrix room, or Mattermost, or Briar, or…

        And importantly, a burner phone has a very short lifetime (hours, during the Catalan referendum), not practical for continued use. And it's still a phone. Three words for you: Pegasus, game over.

        Please do not talk about things you have no experience with. There have been people who have followed misguided "advice" and ended up in jail or in exile.

        As for that signal application, they're clearly very good at marketing, seeing how vocal a fanboy club they have.

        1. fuzzie

          Re: How can be…

          Or VoIP, or a Google Talk or Skype or even a landline number. The number needs to be capable of receiving either an SMS or a voice call during the minute or two of registration so that you can get the activation code. After that, despatch of it in your favourite manner. You won't need it again.

          Yes, there are oodles of other wannabe options, but at least, compared to others, Signal have gone to great lengths to have their technology and architecture independently reviewed and evaluated. That doesn't mean it's perfect, but at least they're trying harder than most.

          The XMPP crowd also had it audited before they decided to adopt it

          > https://conversations.im/omemo/audit.pdf

          1. Anonymous Coward
            Anonymous Coward

            Re: How can be…

            > The number needs to be capable of receiving either an SMS or a voice call during the minute or two of registration

            Why on Earth would I do that???

            Just let me choose my own ID, or generate a random one for me. It's not like I'm going to be any more inconvenienced than myself and my entire network of contacts having to procure ourselves burner phones (or synthetic equivalent, also traceable).

          2. Anonymous Coward
            Anonymous Coward

            Re: How can be…

            > The XMPP crowd also had it audited before they decided to adopt it

            The XMPP crowd these days are a bunch of freelance devs, a few students / recent graduates, a sysadmin, and a couple of others. I know a few of them.

            The days of corporate participation, funding and stewardship are well and truly gone (to the extent that they ever were, with the exception of Cisco).

            The reason for OMEMO adoption was because people were asking for it (including some of the XMPP devs). At least one of the guys who worked on it is competent at cryptography (IIRC the OMEMO implementation was his master's thesis, it's available online if you can read German). Still, I won't use OMEMO on XMPP, preferring OX instead.

            If you are a perceptive person, you will note that XMPP does not require a phone number "for activation" (rolls eyes) or any other personal data at all from you, and *both* clients and servers are truly open source (signal's server is not) and you can run the lot on the infrastructure of your choosing, unlike signal, which runs on AWS in the US and over which you have no control whatsoever. It does have a whole other set of issues, mind.

        2. djack

          Re: How can be…

          You only actually need the phone for initial registration. Signal send a single SMS for 'verification'. After that, as long as whatever client you are using doesn't lose it's authentication data, you don't need to touch or use the phone again.

          1. Anonymous Coward
            Anonymous Coward

            Re: How can be…

            > You only actually need the phone for initial registration.

            Please explain why should I need a phone at all, again?

    2. ThatOne Silver badge

      Re: How can be…

      > a tool suitable for use by such people as whistleblowers and dissidents?

      As I said above, Signal isn't a suitable tool for people in the "Enemy of the State" profession, simply because if the authorities are out to get you, you should not (as in "not at all") use any electronic means, including but not limited to any kind of telephone, and obviously Internet. Yes, sorry, no cat videos...

      Simply because the authorities can monitor electronic networks so darn easily they are bound to get you, no matter what. At this point it doesn't really matter if your name is visible, it's trivial to find out who you are. Remember, if Osama bin Laden managed to stay alive that long it is only because he never ever used anything electronic.

      1. Anonymous Coward
        Anonymous Coward

        Re: How can be…

        And as I said in my reply to you, I know that very well.

        Now perhaps you would like to tell that to the likes of Mr Snowden:

        https://nitter.net/Snowden/status/661313394906161152

        (Note the replies below, along the lines of "if he uses it I'll use it too". I have to put up with that way more often than I'd like to)

        Btw, some of my messages are already in the hands of the Spanish police(?) thanks to someone being a bit careless about clicking on links. Nothing relevant and I'm already known to the Dagos, but hopefully illustrates that I have good reason to be security aware.

  4. drand
    Facepalm

    Do as I say, not as I do

    A company that provides 2FA services does not require its own employees to use 2FA when logging in/changing passwords. Peak tech company.

    1. iron Silver badge

      Re: Do as I say, not as I do

      If you read earlier stories that went into more details about the Twilio breach you'd know they do use 2FA.

      The note about Cloudflare is because they use hardware keys, not an app or SMS for 2FA.

  5. Nifty Silver badge

    Those three 'searched for' numbers

    Would have been the 'proof of concept' numbers already owned by the hackers to check it was all working as expected...

    It's intriguing that Signal seems to know for sure which 1,900 numbers got their details stolen, and that no others have been. If Signal can manage all that, how come it can't secure the database in the first place?

    1. Mishak Silver badge

      Re: Those three 'searched for' numbers

      "the organization has since received a report from one of those three users that their account was indeed re-registered".

      Wouldn't it be strange for a hacker to report a successful hack to Signal?

      1. Anonymous Coward
        Anonymous Coward

        Re: Those three 'searched for' numbers

        > Wouldn't it be strange for a hacker to report a successful hack

        There are show offs in every walk of life. :P

    2. RedeemRed

      Re: Those three 'searched for' numbers

      Because twilio is the one at fault here, not signal (as far as I can tell).

      1. Anonymous Coward
        Anonymous Coward

        Re: Those three 'searched for' numbers

        > Because twilio is the one at fault here,

        Can you explain, if you cared about security (as opposed to, say, building a walled garden), what would you need someone's telephone number for?

        You can have security (for some definition of security¹) or convenience. Very rarely you can have both.

        ¹ Please note that messaging applications that are serious about security publish their threat model, so that people can see what they're secure against and under what conditions. May I remind you that the definition of security ("safe from threat or danger") is a relative and requires you to know what threat you're trying to protect from?

        1. ThatOne Silver badge
          Stop

          Re: Those three 'searched for' numbers

          > requires you to know what threat you're trying to protect from?

          Indeed, and Signal protects you from other people reading your messages, nothing more, nothing less.

          They never ever claimed it will make you invisible to The Man, undetectable and invincible.

          Which is why nobody here understands your raving tantrums. You really need to take a big breath and put some order in your thoughts. Signal was never what you apparently imply it should have been. I don't know where you got this ridiculous idea from, but it's wrong, cope with it.

          (Didn't downvote you though.)

          1. Anonymous Coward
            Anonymous Coward

            Re: Those three 'searched for' numbers

            > and Signal protects you from other people reading your messages

            Doesn't. Funny you should mention that, because I made this very point some time ago by quoting from someone's Signal messages. :)

            Nothing sophisticated: I unlocked the person's phone, opened the application, took a couple of pics with my own phone and transcribed the messages some time later, just to illustrate the finer points of "end to end encryption ends at your and your contact's devices". Amazingly, some otherwise intelligent people doesn't realise how trivial it is nowadays to bypass communications (and some at rest) encryption.

            And it's not just what's being taken off your device, also what goes in it. Which is why you never accept to take possession of an electronic device that's been out of your sight, for instance at customs and immigration.

            > Signal was never what you apparently imply it should have been

            I don't imply anything. Simply look at what people's impression of signal's capabilities are, and now imagine that some of those are friends and acquaintances of yours putting themselves objectively at risk through these terrible misconceptions. Even in this thread you have idiots suggesting that you should just watch a couple of YouTube videos and then go off and buy your "burner" SIM and that's the end of your worries.

            You do make good points but here you failed to realise that other people may not be educated as yourself when it comes to IT security.

            1. ThatOne Silver badge
              Facepalm

              Re: Those three 'searched for' numbers

              > I unlocked the person's phone, opened the application, took a couple of pics

              Objection: Signal has password protection (to open it), it's obviously not Signal's fault if your "victim" left his/her confidential information in the open. Not to mention that if you're really paranoid, Signal can be told to self-destruct messages once read. For all those reasons this example is a non-issue: Nothing offers 100% idiot-proof security, if the user is stupid you will always be able to get to their information somehow.

              .

              > friends and acquaintances of yours putting themselves objectively at risk through these terrible misconceptions

              Well, sorry, I don't have "friends and acquaintances" in the organized crime business, so Signal is safe enough for them. Worse thing which could happen to some of them is that rather confidential information leaks, which would be bad but far from go-to-jail-level devastating.

              You accuse Signal of not working effortless miracles. Sorry, but if for whatever reason you're on the run from the authorities, you need to make some efforts yourself. Using Signal won't prevent stupid.

        2. Red~1

          Re: Those three 'searched for' numbers

          I was mainly responding to the above comment about "how come it can't secure the database in the first place?" - because it was not signal's database to secure.

          Regarding your comment, ThatOne summed up my thoughts pretty well, so I won't repeat them.

          1. Anonymous Coward
            Anonymous Coward

            Re: Those three 'searched for' numbers

            > because it was not signal's database to secure.

            It was their data and therefore their responsibility.

            But then again, the signal guy has a habit of dressing in Teflon, going back to his googlesharing days (gave false info to the domain provider, then complained to his journo friend when he got taken down, who wrote an obsequious article about how it was all the provider's fault).

            Or when someone spotted that his "secure" application was spitting out every message sent and received to the Android debug log. His reaction: threatened F-Droid (run by a thoroughly decent bloke) if they didn't pull his piece of wank of an application (that's why to this day you can't find it there).

            His (at one time, not anymore) "open source" server? Yes, you can use it, just don't try talking to our own server (walled garden).

            His "open source" client? Same. He spouts some bullshit about "security" as if he was magically to be trusted instead of anyone else. Same as during Google sharing (a Google proxy he ran for a bit).

            His double ratchet implementation? Yeah, it's "open" and free for everyone to use… but no derivative works, thank you (again, he claims that it's "because security"). Oh! And did I forget to mention that trademarked constant?

            His talk at 36C3, where he got taken to task by the always frank and knowledgeable audience? Taken offline after he threatened to sue (you can still find it if you know whom to ask, at one point it gets quite pathetic when he runs out of excuses).

            The Facebook ad that wasn't?

            I wouldn't mind signal's shortcomings so much if there wasn't such a shady character behind it.

            Their funding runs out in about for years at the current burn rate, let's see what's going to be their exit (the crypto thing didn't go down too well), but that's the reason for all the excuses about phone numbers and server expenses and code quality: walled garden → captive audience → profit. Nothing wrong with that but be honest about your motives.

            All of the above is perfectly Googleable if you haven't been paying attention these last few years. Save for 36C3 where he ran out of Teflon, there is always a picture perfect excuse as to why it's someone else's fault.

            Even if that someone is a volunteer developer with a special needs person under his care.

      2. fuzzie

        Re: Those three 'searched for' numbers

        Indeed, Twilio was the weak link here. Signal hashes contact numbers for matching. That way they can match contacts' from different users by number, but without knowing what the actual numbers are. They can only tell it's the same number.

        > https://signal.org/blog/private-contact-discovery/

        But, in order to do the initial registration/activation of your Signal installation, you need an activation code through some out-of-band channel. That's where Signal have to give your number (and only the number from where you're activating) to Twilio to send the activation code. Subsequent to that, I don't think they ever need the number. It's purely for the bootstrap.

        > https://signal.org/blog/change-number/

        I suspect, that's how they detect device changes to alert you that your chat buddy changed devices and that you should confirm their identity before continuing your conversation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Those three 'searched for' numbers

          > I suspect, that's how they detect device changes to alert you that your chat buddy changed devices

          You suspect wrongly. It's because the device keys will have changed (Axolotl, their implementation, authenticates devices, not users).

          This "secure" application using TOFU, you can be certain that people will just click through the warning without giving it another though.

          Even Conversations has a better implementation, in that regard (it will get very annoyed if the first key authentication was done via QR code and you subsequently use TOFU).

          Briar, which uses a completely different approach won't even let you exchange messages unless you've authenticated each other's keys in person (via QR, Bluetooth(?) or NFC). Yes, you can scan the QR and send it to the other party, but then that's your (mutual) problem. There's only so much the software can do to stop you shooting yourself in the foot.

          As for Signal, the only possible reasons for keeping your phone number¹ (and as from a recent update, other data) are commercial. Nothing to do with security, especially not yours.

          ¹ It doesn't matter whether it's the actual number or a hash thereof (same as WhatsApp). You're still identifiable, as academic research in pseudo anonymisation will show.

        2. Anonymous Coward
          Anonymous Coward

          Re: Those three 'searched for' numbers

          > But, in order to do the initial registration/activation of your Signal installation, you need an activation code through some out-of-band channel.

          Only because they *chose* to do it that way. They could have just asked you to choose your own username (à la email or XMPP) or assign a random identity (Briar), but they consciously made a decision to have you provide your phone number.

    3. DS999 Silver badge

      That's the best case

      More likely they had certain people targeted, and you can assume it was not for a good reason.

      It would make sense to toss in some randos to obfuscate their actual target(s) and any relationship between them there might be, to make it look like a test or script kiddie games.

      Some of those people targeted will have cause to lose sleep, or may end up in a permanent sleep, depending on the reason they have been targeted and by whom.

      Best case it is trolls or griefers wanting to harass people they feel have "wronged" them online. But it could be a government looking to crack down on dissidents, or criminals trying to track down and kill someone who robbed them.

    4. Anonymous Coward
      Anonymous Coward

      Re: Those three 'searched for' numbers

      > It's intriguing that Signal seems to know for sure which 1,900 numbers got their details stolen

      Especially when they claim not to keep a record of your phone number.

      Which is probably true: they get Twilio to keep it. :)

    5. ThatOne Silver badge

      Re: Those three 'searched for' numbers

      > It's intriguing that Signal seems to know for sure which 1,900 numbers got their details stolen

      Somewhere in their computers there has to be an entry like [phone number # = valid], with an associated time stamp, so it's easy to know who applied for registration in those last days. If your entry is older, you're not affected. And that entry must exist, it's your entry key to the Signal system after all.

  6. Anonymous Coward
    Anonymous Coward

    STOP USING SMS FOR MFA.

    There are 1-5 code line changes that can replace SMS with something that is fast, easy, and doesn't require and active cell connection for almost every platform and application. They are vulnerable to none of the following: ss7 attacks, carrier and retail store level social engineering attacks, stingrays, sim cloning, and letters from your local evil government/law enforcement agency with or without accompanying gag orders.

    We need to just make SMS authentication illegal. There is zero benefit to us to try fix it(again, and again after that), and the carriers have been screwing us for years, so to hell with them and companies like Twillio that are skimming a profit as middle men. The only reason companies STARTED using it was it allowed the industry to steal your cell number. TOTP and hardware tokens already existed before SMS was broadly adopted.

    1. Anonymous Coward
      Anonymous Coward

      Re: STOP USING SMS FOR MFA.

      Up voted because your argument against SMS as a second (let alone first) factor is entirely valid. But please note that Twilio was just another link in the chain, also comprising AWS (where the data is stored) and various telecom carriers. The attack could have happened at any point along the way.

      The question is, who asked for those numbers and what for?

    2. sten2012

      Re: STOP USING SMS FOR MFA.

      Illegal seems overkill. Its preferable to single factor considering you mention mfa.

      In these apps cases it's usually SMS being a single factor rather than a part of mfa is a big problem, but even then still better than Password1 for most users.

      Perfect is the enemy of good and all that.

      1. ThatOne Silver badge

        Re: STOP USING SMS FOR MFA.

        Indeed, I was recently guiding (over the phone) a family member (older, not tech oriented) in another country to install Signal on her phone. The simple SMS validation part already confused her to no end, because the SMS never came (as we later discovered she had mistyped her number). I don't want to imagine how something more technical/involved would had played out.

        Signal is a tool for people of all horizons, not only for IT specialists, so it needs to remain accessible.

        Let's not overstate the gravity of this hack BTW. After all, Signal always gives a warning if a correspondent's phone has changed, it's up to you to check if it's because he bought a new phone or because he got hacked.

  7. Anonymous Coward
    Anonymous Coward

    Curious About The Discussion About Burner Phones....

    (1) (Obviously) if a burner is used to communicate widely, then the social network of the burner owner will eventually help to identify the burner owner.

    (2) If the burner is only used to communicate with other burners.....

    (3) If the burner is almost always switched off, and is only used for the time needed to get the Signal SMS (and similar short duration needs)....

    (4) Note that item #3 means that cell phone tower locations probably give very little away too

    (5) If the burner is never used in the view of CCTV.....

    (6) If the burner is never used close to the burner owner using a credit card....

    (7) If the owner destroys the burner.....and starts using.....another burner....

    So....when items #2 through #6 are the normal procedure for the burner owner, then although the snoops can still track the metadata, and they can still see the traffic......they will still have real problems matching the burner to a real person. And although the burner TRAFFIC CONTENT may not be PRIVATE (but see item #8), the identity of the owner may be ANONYMOUS....and then the owner performs item #7!!!!

    (8) By the way, it's quite possible to use private encryption (off line) BEFORE a message is entrusted to any public service. That way, when the snoops use their secret "backdoors" into E2EE services.....all they find is more encryption!!

    Quote (William Burroughs): "The paranoid is a person who knows a little of what is going on."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like