Category Archives: Open Whisper Systems

Signal threat modeling

In this blog post I will explore what telecommunication companies (telcos) are able to observe in terms of metadata and content when using or not using Open Whisper Systems’ Signal. Special thanks to John Brooks for content editing.

Introduction

Telecos, globally, for over a hundred years, have had various data retention policies that include metadata and content collection and storage (information seizure). In the United States, the Communications Assistance for Law Enforcement Act (CALEA) was enacted specifically to enhance electronic surveillance. Anything the telecos can see and store, intelligence agencies and law enforcement have the ability to obtain too, often in real-time (information search). Intelligence agencies store this information for much longer than telcos because of the monetary costs to store your private information. Within the Snowden revelations, top secret documents make clear that as much information as possible is collected depending on company/agency capacity and technical capability.

The mobile devices that you use contain a huge swath of information about you. They also contain a huge swath of information about the people that you communicate with. In each of the scenarios that I explore below, I’ll be breaking down my exploration into two high-level categories; device vulnerabilities, which can alternatively be thought of as “data at rest”. The second high-level category is infrastructure threats, which can alternatively be thought of as “data in motion”.

Target audience

Journalists, lawyers, activists, and domestic violence survivors are all example populations that have a choice. They can either attempt to learn somewhat technical material and self-empower their decisions about the technology that they use or don’t use, or they can further trust other people to make those decisions for them. It is my opinion that vulnerable populations that are direct victims of surveillance should put more effort into learning technical material. It is unethical for me to make all information and operational security decisions for my students. It is also my opinion that technical educators like me have a responsibility to help bridge any gaps in learning.

Summary

Standard SMS and standard voice calls leave you vulnerable to device and infrastructure exploits (information seizure) for both content and metadata. Once installed, Signal, for Android, handles SMS which is the same in transport as standard SMS, but message content is better protected on the device. Signal can not protect standard voice calls.

Signal manages both encrypted IMs and encrypted voice calls. When you use encrypted IMs and encrypted voice calls, your message content is protected against device and infrastructure exploits. Metadata is protected against infrastructure exploits when you use encrypted IMs and encrypted voice calls, but metadata on the device is still somewhat vulnerable.

Understanding the visual models

phone-basestation
The column and row -based models shown below, one model per scenario, were made to help illustrate the different phases of text/voice communications through telco networks and other related risks.

Asset

The messages that you send people (data in motion) contain two very important things. These two things are your assets: participant metadata and message content. These two assets have to traverse your telco network and the telco network of your friend in order to work the way you expect them to. Each of the two assets is uniquely vulnerable depending on your choice of communication technologies.

The adversaries to your assets are the people who want to illegally or unethically copy your assets for themselves. Your threats are the infrastructure technologies which your adversaries have designed and control.

Device

Your messages must be generated and stored (data at rest) on your mobile device in a messages database. In order to reliably send people messages, you have a third asset that must be protected: your contacts database. It is possible that your teleco has pre-installed software on your phone that has access to your stored assets. Other common threats to data confidentiality include social media applications and syncing applications that make a copy of your messages and contacts and stores them on someone else’s servers.

Infrastructure

When you want to communicate with someone, your device has to send your messages across various infrastructure technologies to reach the person whom you wish to communicate with. I will not be going to great depth into each of the phases of telco network traversal. It is not important given the Open Whisper Systems crypto tools that you have available. What is important to understand is that if you’re using AT&T and your friend is using Verizon, messages have to traverse two completely different sets of infrastructure. When you send a single message to someone, it is likely that three different adversaries are able to copy your assets. Each adversary has completely different data retention policies, laws, and ethics.

SMS communication scenarios

Scenario 1

SMS2SMS-1
1. You send an SMS on your cell network without Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Participant metadata and message content

1.1. Device vulnerabilities: message databases and contact databases are, by default, easily accessible to other applications installed on your mobile devices. Social media apps, message sync apps, etc, will copy these databases and put them unsafely on servers that you have minimal control over. Specifically, regarding SMSs and IMs, these companies that store your private information can observe who you talk to and when. Companies like Facebook want to know everything they can about you. Companies like Apple and Google want to make backups easy and seamless, but they store your information in such a way that they can make it available to law enforcement.

1.2. Infrastructure threats: SMS is only encrypted between your mobile device and the cell tower. At no other point in the message’s traversal to the delivery cell tower is it encrypted in such a way that a network operator or intelligence agency cannot access it. Your information was designed to be exploited when using these systems as-is. 2G/3G/4G encryption standards largely protect cellular network communication from local eavesdroppers, but those standards are weak.

Scenario 2

TS2SMS-1
2. You send an SMS on your cell network with Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

From Open Whisper Systems: “Signal does not store its encrypted database in a location that other applications are allowed to access. Android features support for isolated storage, and Signal takes advantage of this functionality. Memory contents are also protected, and recent versions of Android include ASLR which makes manipulating memory contents (or predicting the location of stored material) even more difficult.

Having said that, users should still choose strong passphrases to properly protect their message contents if their phone gets lost or stolen.”

Participant metadata and message content

2.1. Device vulnerabilities: While the message database is protected on your mobile device when Signal is managing said database, the contacts database is not. Apps can and will read or copy your contacts database unless you take additional protections to block apps from doing so. Copying your contacts database will not reveal who you necessarily communicate with, but it does show who you can communicate with and who you’ve likely communicated with. Database security presumes that your mobile device is free from existing malicious software.

2.2. Infrastructure threats: All participant metadata and message content infrastructure threats are identical to scenario 1.2.

Communication scenarios with Signal

Scenario 3

TSS2TSS-2
3a. You send an IM on your cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

3b. You make a Signal call on your cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

On transport security, see Open Whisper Systems Is it secure? Can I trust it?

Participant metadata

3.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

3.2. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the participant metadata of messages is protected from all aspects of “data in motion”. However, Deep Packet Inspection (DPI) by any infrastructure intermediary is capable of identifying the fact that traffic is encrypted. DPI can also fingerprint the encrypted traffic to the degree that adversaries might be able to identify you as a Signal user. This alone would not allow a teleco to know whom you communicate with. A global adversary like Five Eyes (FVEY) may be able to identify who you communicate with by fingerprinting the type of encryption and network timing analysis. This should concern you if you’re a journalist talking to a source or vice versa.

Message content

3.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

3.4. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the content of messages is protected from all aspects of “data in motion”.

Scenario 4

TSS2TSS-1
4a. You send an IM on your Wi-Fi with Signal to a friend who receives the IM on her Wi-Fi with Signal, or vice versa.

4b. You make a Signal call on your Wi-Fi to a friend who receives the call on her Wi-Fi with Signal, or vice versa.

Note:

Scenario 4 is nearly identical to scenario 3, except that the transport infrastructure has changed, which means the specific adversaries have, too. Conceptually, the technical threats and vulnerabilities are the same.

Participant metadata

4.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

4.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

4.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

4.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Scenarios with IMSI catchers

IMSI-catchers come in many different names and capabilities. There is even a Free and Open Source Software (FOSS) version called OpenBTS that allows amateur or professional hackers to exploit the weaknesses of cellular networks. Infosec Institute made a decent guide. They all pose an abundance of threats to you and your assets.

IMSI catcher capabilities:
  1. Passively or actively extract identifiers of cellular devices such as IMSI, ESN, and MEID numbers.
  2. Passively or actively track physical locations and movements.
  3. Actively perform Denial of Service (DoS) attacks that would prevent the cellular device from connecting to a cellular network. Targeted DoS attacks can also force cellular devices to use older wireless technologies (2G or 3G) which use weaker encryption or no encryption depending on the cellular network configuration.
  4. Actively perform Man in the Middle (MitM) attacks to eavesdrop on all forms of cellular communications: SMS, voice, or data.
  5. Actively exploit baseband processors, allowing the adversary to deploy malicious software onto to the cellular device.

There is no indication that local law enforcement perform capabilities #3 or #5. However, intelligence agencies and well-funded groups are capable of such operations. It is very important to understand who your actual adversaries are in order to apply any notion of risk (threat + vulnerability).

Scenario 5

SMSIC2SMS-1
5. You send an SMS without Signal via your compromised cell network to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata and message content

5.1. Device vulnerabilities: All participant metadata and message content device vulnerabilities are identical to scenario 1.1.

5.2. Infrastructure threats: SMS is likely not encrypted at all or the IMSI catcher was able to Man-in-the-Middle the encryption between your mobile device and the cell tower. At no point in the message’s traversal to the delivery cell tower is the message protected in any way. The IMSI catcher operator, cellular network operator, and/or intelligence agency can access the messages.

Scenario 6

TSSIC2TSS-1
6a. You send an IM on your compromised cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

6b. You make a Signal call on your compromised cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata

6.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

6.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

6.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

6.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Related adversaries + threats not discussed

  1. Intelligence agencies, companies with lots of money to spend with grudges, and global surveillance adversaries that have the ability to pin-point your mobile device and perform one-time or persistent malicious activity.
  2. Technical threats or adversaries posed by IMSI catchers are the same when connecting to your normal cell network, but the probability of exploitation may not be the same.
  3. MitM attacks, similar to IMSI catchers, can also be performed on Wi-Fi networks; technical exploitation might be different, but outcome of exploitation might be the same.
  4. Mobile devices that have already been compromised either intentionally or accidentally.
  5. Can you think of one?

Conclusion

This is the style of guide that people like journalists, activists, and lawyers need. It borders on specific technical details without getting into too many details. It is also the style of guide that needs regular maintenance (research, Q&A, feedback, editing, administration). This guide demonstrates the need of journalists, activists, and lawyers to become educated in certain areas of technological advancement.

I hope that this has proven useful to you. If you liked this blog post, tell your friends about it and talk to them about it. Talk about encryption. Talk about surveillance. People need to talk about this stuff. If you have any questions, concerns, or constructive feedback for me, please email me.

Glossary

2G/3G/4G: cellular teleco technologies that allow your cellular mobile device to talk to telco networks.

802.11 a/b/c/n: “Wi-Fi”

Android: Google’s mobile device operating system.

Asset: Something that is important to you.

BTS: See: “Base transceiver station” on Wikipedia.

IM: Instant Message. Think: AOL instant messenger or MSN instant messenger. Signal is capable of sending IMs to mobile devices using Internet data.

IMSI catcher: a device that can be used to maliciously intercept, alter, or deny your cellular network communication. It is commonly used by law enforcement, private police, private investigators, or hackers. See “IMSI-catcher” on Wikipedia.

iOS: Apple’s mobile device operating system.

ISP: Internet Service Provider. This might be your home ISP or the ISP of a coffee shop that you’re using.

Message content: the content of an SMS or IM.

Participant metadata: Any aspect of people and the communications between people. This could include, but is not limited to, who is communicating, when, for how long.

Signal: The open source application made for iOS by Open Whisper Systems. See: Notes for Signal

SMS: Short Message Service. A “text”. You usually send these to people with your phone, limited to 160 characters per message.

SMS-SC: See: “Short message service center” on Wikipedia.

SS7: See: “Signalling System No. 7” on Wikipedia.

Telco ISP: the ISP of your cellular telco network provider. It could be that your cellular network provider is also its own ISP.

Threat: A person, place, or thing that is likely to cause damage or danger to your assets.

Vulnerability: A person, place, or thing that is unable to withstand the effects of a hostile environment.

WAP: Wireless Access Point. It provides Wi-Fi.

Create an anonymous Signal phone number w/ Android

Formerly: “Create an anonymous TextSecure and RedPhone phone number”

Published: 2015-Mar-14
Updated: 2015-Nov-16, revision 64

Sometimes you just need an email address and a phone number to do things online. Or maybe you want to ditch you expensive phone plan because your friends and family all smartly use Open Whisper Systems crypto tools. And why not? Signal lets you communicate for free, even to international numbers. This guide will show you:

  • how to create a new Gmail address without an existing phone number,
  • create a new Google Voice phone number with your new Gmail address,
  • and then using your new Google Voice number to setup Signal.

After you complete this guide, your new phone number can send/receive Signal calls and instant messages using Wi-Fi. Persistent SMS capabilities will also be available using Google Voice. Baseband and SIM card exploits will be a thing of the past.

Anonymity is relative in this context. Yes, you’ll be creating a phone number that you’ll probably be giving to other people. Those people will probably know who you are. Pay special attention to step 14. If you follow this guide, you’ll be in a position to maintain communications anonymity in a massive passive-surveillance network.

The following was tested on a Motorola “Moto G” running Android 4.4.4. You will need a laptop to perform the Google Voice aspects of this procedure. Like most guides, you may want to read through the whole thing before starting. Please email or Tweet me if you have any suggestions.

Alternative security

If you just need security and not anonymity, Signal on an iPod Touch is even better.


Guide

1. Obtain an Android phone that was not purchased by you at any retail location. The Nexus phones might be ideal as they typically will not come with a bunch of extra software installed. The Moto E is also a good choice. Craigslist should be fine. Pay with cash. You don’t want any phone device IDs linkable to you (including by way of electronic payment cards and shipping addresses).

1.1. To further distance your connection to device IDs and location-based IPs, take a bus (pay with cash) to a different city than the one you live. Don’t bring any other personal cell phones. Go to a mall and buy a used Android from one of the kiosks. Perform this guide in that city. Do nothing else in the city; don’t go and get your face on a bunch of cameras, and don’t pay for things with debit/credit cards.

2. Go to a public library or coffee shop with free Wifi with your Android, laptop, and Tails Linux (USB or DVD). Make sure it’s a place that you’ve never been to and one which you’ll never return to. Order a coffee with cash, be nice, and avoid interacting with people.

3. Remove any SIM cards from the Android. Turn on then restore the Android to factory defaults. Skip all activation settings and enable Airplane Mode as soon as possible. Disable or uninstall all possible apps that aren’t needed, especially ones that sync. You need, at a minimum, Google Play Store, Google Play Services, and Google Services Framework. With Airplane mode still enabled, turn on Wi-Fi and connect.

4. Open Google Play Store. Create a new Gmail address when Android prompts you to log in. Don’t use any words or phrases in either your email address or your password that you’ve used before. And don’t use a password that you’ve ever used before.

5. Using your laptop, boot up Tails Linux. Open the “insecure” browser that is not Iceweasel to log in to your Gmail address. Do not use Iceweasel or Tor, Google will lock you out of the new account, and you’ve already shown Google where you are in steps 3 and 4.

5.1. Make sure you do not proceed if you are prompted to accept bogus SSL/TLS certificates.

5.2. Booting up Tails has two advantages despite not using Tor: 1) the Wifi MAC address is spoofed, and 2) when you shut down your laptop, no history is saved. Do not use Tor to log in to your Google account until after you have two-factor authentication set up.

5.3. If you ever need to enter an alternate email address, simply open the Gmail Android app and create a new address. You can use it as the backup for your new primary address.

6. Use your Android to download “Talkatone“, a free VoIP Android app that gives you a temporary phone number. You will use it to receive phone calls over Wi-Fi. Register for a new account for a new number using your new Gmail address. You may need to search various area codes to find one that has numbers available.

7. Log into google.com/voice with Tails’ insecure browser. Enter your Talkatone phone number and receive its call to verify the number. Go into settings and verify that both “Receive text messages on this phone” and “Notify me of new voicemails via text” are checked. Turn Call Screening off in the Calls tab.

7.1. You can stop here if you don’t need Signal. You may only need a WiFi connected Android with Google Voice to privately receive access tokens via SMS.

8. Never use this phone from any place you routinely go (anchor points) unless you are behind Tor. See (*) below.


Signal configuration and Android configuration

9. Download “Signal” and register it with your Google Voice number. The SMS verification will fail. Wait and then verify via phone call. Your temporary Talkatone number will receive a call, so prepare to write down or remember the six-numeral verification code. Enter the code to verify Signal.

10. Encrypt the phone (Settings > Security > Encrypt phone).

11. Only use this device for Signal (and maybe Google Authenticator, see #13) from now on to minimize its exposure. Especially do not use apps that have in-app ads. Uninstall Talkatone. Uninstall or disable all web browsers. Uninstall or disable all Google apps and services except Google Play Services (and maybe Google Authenticator, see #13). You will need to enable Google Play Store again at some point to keep apps updated, but only at another random, public Wifi location. Always keep all syncing disabled, you do not want Google to have your contacts.

11.1. “NetGuard” may be a useful solution for keeping network activity minimized.

12. Open Signal. Disable SMS/MMS to both Signal users and non-Signal users in settings. Require password access to Signal by turning on “Enable passphrase” to further harden the message database in addition to adding another layer of defensive security (shoulder surfing for the phone access passphrase is easy). Set a low “Timeout interval”.

12.1. When preparing to IM someone with Signal, be sure to first add a contact in your Contacts. When you’re looking at your Signal contact list (or lack thereof), tap the refresh symbol to force a refresh. Now you should be able to see Signal users that can receive your IMs.

13. Using the “Google Authenticator” Android app, enable two-factor authentication (2FA) for access to your new Gmail. If an attacker can get into your Gmail accounts, an attacker could register your number with a new device and deny you the ability to communicate with Signal. When configuring your new Google account, you can now use your new Google Voice number as a verification phone number. Immediately configure 2FA with only Google Authenticator and Google Voice as a backup.

13.1. To further compartmentalize, put your Google Authenticator tokens on a separate device — Preferably one that remains in Airplane Mode all the time.

14. Tell people that you communicate with not to save your number with any personally identifiable name. The apps they use–like Facebook or their Google Contacts sync–will betray your privacy by recording their contact list, forever creating the digital record of your name with your new number.

15. Log into google.com/voice with Tails’ insecure browser on your laptop and disable forwarding to your former Talkatone number. Or alternatively, use Tails’ Iceweasel (Tor) and test access now that 2FA is configured.

Optionally…

16. Physically remove the phone’s microphone and cameras; if possible, the accelerometer too. Rely on a corded headset when communicating with Signal (voice). Don’t leave the headset plugged in when not in use.

16.1. If an attacker is able to compromise your device, you do not want them to be able to hot-mic your Android or take pictures/video of your environments.

rootkovska
An iPhone with its microphone and front camera removed.
Photo credit: Joanna Rutkowska

Root?

There are pros and cons to rooting your phone. Rooting might make the job of targeted attacker much easier. Should you root for more control (creating new vulnerabilities) or simply hope that Airplane Mode is doing what it promises when you are carrying your phone with you at anchor points?

(*) There are several options for getting Signal to work with Tor, but the downside is that only Signal IMs will work, not Signal voice calls. One option is to create a wireless access point for your anchor points that force all traffic over Tor, which does not need root, like P.O.R.T.A.L.. It also may be possible to leverage another Android phone that is already rooted and running Orbot to tether through. And again, InvizBox and Anonabox are simple solutions, but you have to buy them online and have them shipped somewhere, creating a lot of metadata. Lastly, there is the option of rooting and using Orbot to proxy local Android traffic.

Mission Impossible Android Hardening on Github, previously on the Tor Project blog, goes into good detail on how to root your Android device and attempt to delete the Android baseband firmware partition.

Once your Android is rooted, you would need to install a 3rd-party ROM that does not have any Google services pre-installed. Then you’d have to find the Signal APK online (plus verifying their hashes) and manually install the apps you need. There are some interesting, unsupported ways to get and use Signal on an Android. Google Cloud Messaging (GCM) is required unless another service pretends to be GCM.

Ideally you’d use an iptables-based firewall to prevent any apps or services using any network interface except Signal and Orbot. You would also need to find a different long-term VOIP provider (to receive phone calls and SMS) since you wouldn’t be setting up a Gmail or Google Voice in this scenario.

Notes for Signal

Previously: “Signal, TextSecure, and RedPhone ecosystem notes”

Published: 2015-Mar-02
Updated: 2015-Nov-16, revision 36

FAQs

1. You need a phone number plus an Android, iPhone, or iPod Touch to use Signal.

2. You need a data connection (Wifi or cellular) to use any of Signal’s end-to-end encrypted (E2EE) services.

3. Signal provides easy E2EE voice and text communications including to international Signal users; however, Signal for Android can optionally manage SMS by replacing your default SMS application.

4. Signal’s message database is independently encrypted on the device. Other apps cannot access the contents of this database. Signal (iOS) messages are not included in iCloud backups if iCloud is enabled. Signal (Android) messages are not included in Google Hangout syncing.

5. Unlike iMessage, WhatsApp, and other encrypted IM solutions, Signal allows users to verify each other’s public encryption key by sharing the public key fingerprint.

Group Messaging

6. Signal can be used to create and manage E2EE text/IM group chats.

7. Signal group chats protect 1) who is in the chat, 2) the name of the chat, and 3) the message content shared between Signal users.

Android specific

8. Signal asks to replace the default Android SMS application. It can send SMS (insecure) to non-Signal users. When Signal manages the SMS database (default SMS application), SMS (insecure) sent and received are not any more protected in transit than if you were using Android’s default SMS application.

9. If you need to send an SMS (insecure) to a contact but you have already chatted with Signal IMs, long-press the “enter” button when you are about to send the message.

10. Signal for Android can be configured to turn off SMS-sending. In this case you’ll only be able to send IMs to other Signal users. However, turning off SMS-sending only removes SMS contacts from Signal’s user interface. If you have an existing SMS conversation that is managed by Signal, you will still be able to send SMS to said contact. If someone SMSs you, you can still reply with SMS. Turning off SMS-sending in Signal is only superficial.

11. Signal SMS messages provide message content, time, date, contact (phone number), and location (cell tower) metadata to your telecommunication service provider and to your federal agencies. In the United States, this is accomplished via Section 215 of the USA Patriot Act. Signal IMs can provide time, date, and location metadata to telecommunications companies while protecting message content and contact metadata. Communication records will not show up on your phone bill when using Signal (non-SMS) encrypted communications.

iOS specific

12. Signal for iOS cannot send or receive SMS because there is no application program interface (API) in iOS for SMS. It can only send encrypted IMs.

13. Signal (iOS) is like iMessage. However, iMessage encryption keys can be replaced transparently (without your knowledge) by Apple, and iMessage does not employ Perfect Forward Secrecy (PFS). PFS allows each IM or encrypted voice call to have it’s own, unique, encryption key, making your communications much harder to crack once captured. Additionally, iMessages, by default, are synced to iCloud, making them easy to obtain by Apple or any government agency with the right paperwork. iMessages stored in iCloud are encrypted, but Apple holds those private keys and can unencrypt them for anybody it chooses.