Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Well, researchers recently discovered a similar one – this time in super-secret messaging app Signal.
Reported in January 2019, the FaceTime bug allowed an attacker to call someone in Apple’s FaceTime and then add themselves to the chat session, even if the other party didn’t pick up. A bizarre logic flaw triggered an audio stream from the receiving phone, turning it into a digital eavesdropping device.
Now, Google Project Zero security researcher Natalie Silvanovich has found a similar bug in encrypted messaging service Signal. According to her bug report, a logic error in the app causes the program to answer an incoming call even if the user doesn’t pick it up.
The problem lies with
handleCallConnected, an Android message that causes the call to finish connecting. The app normally triggers this on both the callee and caller’s systems if the callee accepts an incoming call in the Signal app. However, an attacker could use this message to make the recipient’s app answer a call even if the caller doesn’t pick up, Silvanovich said.
For this to work, the attacker would have to install an altered version of the software on their own device. On an Android phone, you’d simply sideload such an app, because the operating system enables users to install applications directly to the device without going through Google Play.
The attacker couldn’t launch or stop a video call without the recipient’s permission, Silvanovich said, because users have to manually enable video in all calls. This makes it slightly less severe than the FaceTime bug, which an attacker could use to stream video.
Still, the bug could enable an attacker to turn a Signal client into an eavesdropping device, which was enough to earn the bug a high-severity rating.
The user would hear an audible ringtone or feel the phone vibrate, just as with a regular Signal call. Silvanovich said that this ringing period wouldn’t have to last long:
@campuscodi You can send the signal quickly, so it doesn’t have to ring for very long—
Natalie Silvanovich (@natashenka) October 04, 2019
Even so, the victim would see a visible indication that a call was in progress, tipping them off if they happened to look at their phone. There would also be a record of the completed call at the top of the victim’s conversation list.
Although this flaw put Android users in danger, the same logic problem occurred in the iOS client, Silvanovich pointed out. The only thing that stops the same attack on Apple’s operating system is an error in the user interface code. She added:
I would recommend improving the logic in both clients, as it is possible the UI problem doesn’t occur in all situations.
Signal did just that, and clearly cares about security: It fixed the bug in both Android and iOS on Friday 27 September 2019, the day it was reported. Apple took a little longer, switching off its Group FaceTime feature until it could roll out a fix just over a week after discovery.