Fabio Manganiello on Nostr: Russian hackers (the APT44/Sandworm group, again) are trying again to break into ...
Russian hackers (the APT44/Sandworm group, again) are trying again to break into #Signal accounts.
When access to private messages can make the difference between winning and losing a war, you can bet that State-sponsored actors will try their best to break into those messages.
Signal is also widely used by people in the battlefield (more than Telegram) because it provides E2EE by default - and, unlike WhatsApp, it doesn’t leak unencrypted metadata under any circumstances.
The approach followed by the hacking group is actually surprisingly simple, and it exploits the notorious link-device feature (a legitimate feature offered by many messaging apps to receive messages on multiple devices).
The attackers share link-device QR codes with potential victims, disguising them as invites to group chat invites.
Once the victim scans the QR code through the Signal app on their phones, the attacker immediately gains access to all the messages received on the victim’s phone.
The solution is also surprisingly simple (and this isn’t the first instance of abuse of QR codes): always remember that scanning a QR code may be just as dangerous as opening an unknown website - especially when you do it through a 3rd-party app.
Instead of blindly scanning QR codes through the likes of Signal and WhatsApp, always use an external app that first turns them into text.
If you do so, you’ll immediately notice the difference between a URL like this (a group invite):
sgnl://signal.group/123456789
And one like this (a device link request):
sgnl://linkdevice
uuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D
pub_key=Ba0212mHrGIy4t%2FzCCkKkRKwiS0osyeLF4j1v8DKn%2Fg%2B
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
When access to private messages can make the difference between winning and losing a war, you can bet that State-sponsored actors will try their best to break into those messages.
Signal is also widely used by people in the battlefield (more than Telegram) because it provides E2EE by default - and, unlike WhatsApp, it doesn’t leak unencrypted metadata under any circumstances.
The approach followed by the hacking group is actually surprisingly simple, and it exploits the notorious link-device feature (a legitimate feature offered by many messaging apps to receive messages on multiple devices).
The attackers share link-device QR codes with potential victims, disguising them as invites to group chat invites.
Once the victim scans the QR code through the Signal app on their phones, the attacker immediately gains access to all the messages received on the victim’s phone.
The solution is also surprisingly simple (and this isn’t the first instance of abuse of QR codes): always remember that scanning a QR code may be just as dangerous as opening an unknown website - especially when you do it through a 3rd-party app.
Instead of blindly scanning QR codes through the likes of Signal and WhatsApp, always use an external app that first turns them into text.
If you do so, you’ll immediately notice the difference between a URL like this (a group invite):
sgnl://signal.group/123456789
And one like this (a device link request):
sgnl://linkdevice
uuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D
pub_key=Ba0212mHrGIy4t%2FzCCkKkRKwiS0osyeLF4j1v8DKn%2Fg%2B
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger