Updated: Feb 25, 2022
I am reminded how popular Signal is every time a friend pops up as “new to Signal” in my mobile app. The acclaim is warranted. If it wasn’t Elon’s endorsement, it is the simple fact that Signal is an excellent end-to-end encryption tool. In fact, at Pathfynder, it is our “go-to” side channel to pass sensitive information with clients.
For the uninitiated, this end-to-end encryption means that messages sent between contacts are not able to be read if intercepted. To read the messages, you would need an encryption key, which means that sensitive information is generally safe to pass over the Signal application.
I say generally because there is one rarely discussed caveat. If an adversary has access to your workstation or mobile device, are the encrypted messages in your Signal database still safe?
Unfortunately, the answer is no. In fact, you might be surprised to know that with one simple line of SQL code, an adversary can decrypt your Signal messages and gain access to the information you hoped to protect. In this scenario, your encrypted messages are no more secure than information stored in a text file on your desktop.
How does this happen?
We raise this loophole not as a knock against Signal. The platform is notable because of its proven track record of being both reliable and trustworthy. However, the reality is, what makes end-to-end encryption possible also allows the adversary to decrypt messages on devices they have compromised.
When Signal is installed to a device, there is an associated configuration file that contains the encryption key for that device. Therein lies the problem. If your mobile device or workstation is compromised, it doesn’t matter that the messages in your Signal database are encrypted. The adversary can pull the encryption key, run one-line of SQL code, and read your messages as though they were written in a text file for all the world to see.
This risk isn’t unique to Signal. In fact, it is present with all end-to-end encryption messaging applications. There has to be an encryption key stored locally for these tools to encrypt and decrypt messages between endpoints. And that means Signal and other encryption messaging tools are not full proof.
The takeaway? If an adversary gains access to your machine, they can use your encryption key and read the messages in your Signal database. Of course, this is also true if someone you are communicating with using Signal is operating on a compromised machine. An adversary can read the message exchange between all accounts on that Signal chat, even if your machine is clean.
Protect the Side Channel and Revisit disappearing messages
There are a few basic steps we can take to reap the benefits of Signal and mitigate the risk of an adversary gaining access to our encrypted database.
The first is to enable disappearing messages. When messages are queried for deletion in this way, they are deleted forever on both the sender and receiver’s Signal database. This distinction is important, because manual deletion on one endpoint does not necessarily mean deletion on another. Once messages are received in Signal, they must be individually deleted by each recipient.
With that in mind, Signal allows for several disappearing time frame options and the selection largely depends on the threshold your situation requires. Generally, we wouldn’t recommend disappearing messages to be longer than a day, but the nature of the conversation should drive the timed deletion threshold. Keep in mind, the clock on deletion begins the moment the message is sent, not received.
The other recommendation to consider is where you have Signal downloaded. Signal is available on mobile and desktop, and while the added convenience of having the application run on multiple endpoints is wonderful, it does increase the likelihood of compromise by giving an adversary additional endpoints to breach.
We are not saying you should avoid downloading Signal to multiple devices if business needs require it. It is just one more point of exposure to be aware of in your risk calculation (particularly if personal devices such as cell phones are used for business functions).
Kudos for using Signal
To be clear, we rely heavily on Signal at Pathfynder. While our endeavors are mostly to communicate sensitive information with clients, naturally, everyone has their own reasons for using Signal. It is a great platform that gives us the peace of mind to have secure conversations.
That being said, the application isn’t perfect, and it’s unfair to expect it to be. Utilizing the disappearing messages feature can provide you an extra layer of protection that we recommend employing when passing information you want to be protected.