Advertisement
Tech by VICE

Signal Bug Could Have Let Hackers Listen to Android Users Via Microphone

Google’s Project Zero recently reported the issue, which the Signal maintainers have now fixed.

by Joseph Cox
Oct 4 2019, 9:43pm

Image: Jaap Arriens/NurPhoto via Getty Images

All software has bugs. But there's an extra sting when that software is something you use to communicate securely.

On Friday, a researcher at Google's elite vulnerability hunting team Project Zero published details about an issue in the Android version of Signal. The bug allowed a hacker to phone a target device, and the call would be answered without the recipient needing to even accept the call, essentially letting the hacker listen-in on the victim.

"When the call is ringing, the audio mute button can be pressed to force the callee device to connect, and audio from the callee device will be audible," Natalie Silvanovich, a security engineer at Project Zero, wrote in a September bug report which was made public today.

The issue requires a hacker to build and then use a custom version of the Signal Android software, swapping out one section of the code for another, the report shows.

Know of any other software vulnerabilities? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The bug could have impacted the iOS version of Signal too, if it wasn't for a bug in the user interface, Silvanovich wrote.

"I would recommend improving the logic in both clients, as it is possible the UI problem doesn't occur in all situations," Silvanovich added in her report.

The issue was fixed Friday, Silvanovich wrote.

The bug is somewhat reminiscent of a recent issue with Apple's FaceTime, in which an attacker could switch on the microphone of a target device by adding themselves to a FaceTime group call.

Open Whisper Systems, which maintains the Signal app, did not immediately respond to a request for comment.

Subscribe to our cybersecurity podcast, CYBER.

This article originally appeared on VICE US.

Tagged:
Google
android
vulnerability
ios
Project Zero
​signal
end to end encryption
exploit
Google Project Zero