12.5 C
New York
Thursday, July 2, 2020
Home News Signal vulnerability could let hackers track your location

Signal vulnerability could let hackers track your location

A vulnerability in the secure messaging app Signal could let a bad actor track a user’s location, according to findings from cybersecurity firm Tenable.

Researcher David Wells found that he could track a user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity.

There are two aspects to the vulnerability, Wells said. One is that if two Signal users have each other as contacts, it’s possible for them to determine each other’s location and IP address by calling, even if the person being called doesn’t answer the phone.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact,” Wells said. “That’s kind of odd.”

It turns out that even if you don’t have a person in your contacts list, they can still roughly determine your rough location just by calling you on Signal. This works even if you don’t pick up or see the call.

“Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number,” Wells said. It turns out that’s enough for the caller to see what DNS server your phone automatically connects to. “Usually, it’ll be somewhat near you,” Wells continued. “So I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location.”

“The core of the issue is that you’re helpless,” Wells said. Simply by calling your phone, which you can’t control, a threat actor could determine your general location.”

“It’s not like clicking on a link [as in phishing],” he said. “Anyone can do this to you.”

Signal has reportedly already released a patch for the vulnerability via Github, but as of now, it is not yet available through any app stores.

Signal declined to publicly comment when asked about the reported vulnerability, but Wells told Digital Trends that he heard the team was working on an update that would patch the problem.

Signal recently announced it would be rolling out PIN numbers for people to use instead of phone numbers, which may help plug the security hole.

The vulnerability also has limitations. The method isn’t 100% reliable; at one point, Wells called an associate in Pennsylvania as an experiment, and the associated DNS server that responded was 400 miles away in Toronto.

“It’s very coarse,” Wells admitted.

The researcher also wasn’t able to determine a person’s specific address, for example. But when a callee’s phone connected to certain servers, he was able to see clearly what city they were in and track their daily movements.

“We’re not cracking Signal’s encryption or saying don’t use Signal. The sky isn’t falling,” he said. “But for a certain subset of people, this is going to be a problem.”

Latest

Check out this Android charging cable super pack, just $16

While USB Type-C might be taking off as the new standard, there are plenty of products that still rely on microUSB. Take a look at some of your favorite gadgets around the house; we bet a lot of them still have microUSB ports.Chances are pretty high that you’ve either misplaced a cable or two along the way or worn them out. If it’s time for new charging cables, consider the Android Charging Cable Super Pack. Just $15.95 right now, it’s a four pack of microUSB cables in three different sizes: 3ft, 6ft, and 10ft.These braided cables are strong and won’t tangle any time soon so feel free to throw them in a bag or backpack. Moreover, they’re stylish, too, and come in your choice of silver, pink, or gold.Charge & sync data simultaneouslyGet 4 cables of different lengths, plus a keychain charger3′ x 16′ x 210′ x1Compatible w/ all devices with a micro USB portCharge iPhones w/ included Android/Lightning keychain cableOrder YoursIn addition to the four cables you’ll also receive a keychain that provides charging capability to microUSB devices and iPhones. Yep, all of that for just $16 today. Swing over to the AndroidGuys Deals Store and choose the color that speaks to you.Best SellersEarn Credits!For every $25 you spend in the AG Deals Store you get $1 credit added to your account. And, if you refer the deal via social media or an email that results in a purchase, you’ll earn $10 credit in your account.First Time Buying?If this is your first time buying, you are also eligible for 10% discount! Just be sure to subscribe for email updates.Free StuffNot looking to spend any money today? No worries. You can still visit the AndroidGuys section for freebies and pick something anyhow.

Microsoft Surface Book 3 15-inch review: Still unique, still expensive

The Surface Book 3 is an incredible laptop/tablet hybrid, but you'll need something beefier if you want to edit video.

Best Buy 4th of July Sale 2020: All the best deals, all in one place

The Best Buy 4th of July Sale is now live, and we have links to each segment, along with our choices of the best deals on offer.

Best Buy 4th of July Sale 2020: All the best deals, all in one place

The Best Buy 4th of July Sale is now live, and we have links to each segment, along with our choices of the best deals on offer.