Technical Error Correction Collective

Claim: Signal Encryption Has Been Broken

, by:

As a tech-advanced generation grows up it has become increasingly chic to worry about encryption and security. Unfortunately the topic is being oversimplified for one-liners. The recent story that the very popular, safety-conscious, Signal has been cracked is no different. A number of tech blogs and news organizations have lately been publishing rumors that the well-known messaging app Signal app is compromised, and have implied that its users should be worried that their communication can now be spied on. Luckily for everyone wanting to keep their messages safe and away from prying eyes, all of these stories (so far) are overblown.

That’s not to say that, given the right and rare conditions, gaining access to sent and received messages on Signal is impossible. It’s just that like many tech stories it comes with a boat load of caveats.

Signal is designed to protect you against someone intercepting or modifying your messages “in transit.” Essentially, cell signals, even SMS and other messaging services, send their data along the equivalent of old fashioned telephone lines. Like those lines, it’s possible to tap them and to make a copy of everything you hear or read that comes across the line. This is especially an issue in countries where it’s very easy for a government to force a cell phone network to make the copies for of any data that passes through its system (or even just give them direct access).

Signal, and other messaging apps like it, such as WhatsApp and Apple’s iMessage, get around this by encrypting their messages. This renders the messages unreadable to anyone who is not the sender or the intended receiver. The password to decrypt the these now-encrypted messages only exist in two places, the phone of the person who sent the message, and phone of the person who receives it.

What this doesn’t protect against, you’ll notice, is reading the message off your phone directly. If someone from the government, or whomever else you might be worrying about, gets into your phone, you’re pretty out of luck – but that’s not what Signal is meant to protect from. Its main purpose is to protect data that’s currently moving, not data that’s sitting.

Using our telephone line analogy: even if someone tapping your telephone line, and the signal is encrypted, an attacker can always just put a mic in the room where your phone is and listen to the recording later. That still does not mean the encryption is broken, it just makes the listener’s job much harder.

The rumor going around, disappointingly, is just this. The FBI, also known as one of the better financed security services in history, couldn’t break Signal’s over-the-wire encryption so instead they figured out how to break into a target’s phone (we’re not sure how, but that’s beside the point here). From there, they could have just tapped the “Signal” icon, opened the app, and read the messages right off the screen.

This isn’t Signal’s fault, and in fact it is a far more secure instant messanger than most competitors it’s mentioned next to (such as Telegram). Plus, Signal does have a feature called “disappearing messages” specifically designed to delete messages after a given amount of time from both the receiver and sender’s devices. Though it probably doesn’t prevent a truly well-funded attacker from getting the messages if they really want it, it will certainly make it massively more expensive and only worth it in the most worth-while and public cases.