Hackers are targeting Signal users to steal chat backups as part of a new hacking campaign, according to a TechCrunch investigation.
On Wednesday, Washington Post analyst Josh Rogin posted a screenshot of a new type of attack against Signal users. The hacker poses as the app’s support team and warns the target that their backed up chats and media are “at risk of being lost forever due to sync issues.” To avoid that, the target must share the recovery key used to access online backups in a chat with the hacker, the message states.
“This will link your existing backup to your account. If you do not do this, you may lose access to your account and all stored data,” says the message, which purports to come from an account called Signal Support.
Rogin said several anti-Chinese Communist Party activists received this malicious message.
Mohamed Al Maskati, director of Access Now’s digital security helpline, which investigates cyberattacks against journalists, dissidents and human rights defenders, told TechCrunch that the two had shared similar messages. Al Maskati said the two were not Chinese activists. This suggests that the hacking campaign may spread more widely and target other communities, or that there may be different groups of hackers using the same strategy.
It’s unclear how effective the hacking campaign was. Al Maskati said stealing the victim’s recovery key for chat backups is only one stage of the attack, and the hacker still needs to take over the victim’s account.
Generally, this type of attack relies on phishing targets, which means tricking the target into sharing sensitive personal information with the hacker. In this particular case, the hacker poses as Signal’s support team and exploits the target’s trust in the app and the organization behind it.
It’s important to note that Signal says it will “never contact” users in the first place and will never ask for a registration code, PIN, or recovery key. This means that chats that pretend to come from Signal Support are actually coming from malicious hackers. The organization publicly warned about this very type of attack last month.
inquiry
Do you have more information about these attacks against Signal users? Or are there other similar attacks? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
There have been several hacker campaigns masquerading as Signal Support in recent months, but this is a new type of attack as it specifically targets backups and may contain the victim’s old chats, photos, and documents.
Previous hacking campaigns targeting Signal users have involved taking over and impersonating the victim’s account, often with the underlying goal of stealing the victim’s contact information or starting conversations with other people as if they were the account owner. In these cases, the hacker cannot access past messages because the attack relies on re-registering the victim’s account on a device they control. Because of the way Signal is designed, old messages won’t appear on new devices.
A hacker can take over a Signal account, for example by hijacking someone’s phone number. But Signal offers opt-in security features to prevent that, including an enrollment lock that prevents attackers from linking a target’s number to a new device unless they steal the target’s PIN.
In this scenario, one way to review old messages is to access the victim’s online backups. This requires a recovery key.
Last year, Signal launched a new opt-in feature, Secure Backup. This allows users to upload content from their accounts to Signal servers. The recovery key is encrypted with the recovery key, and the organization says this backup is “never shared with Signal servers” and “never leaves” the user’s device. Signal says users should keep their recovery keys securely within a notebook or password manager.
“Without a unique recovery key, no one (including Signal) can read, decrypt, or restore the data in your secure backup archive,” Signal said.
This means that in a scenario where you register your account on a new phone, download an encrypted backup from Signal’s servers, and decrypt it with your recovery key, only the user can access the archive.
Signal did not respond to requests for comment.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
