Do not make this dangerous messaging error
Update: republished on March 31 with a new report on the dangers of secure messaging at the workplace and a touch on WhatsApp against signal.
Secure messaging applications on your phone are dangerous. Not because their own security measures are vulnerable to attacks – although it happens, but because their security is as good as your behavior. And millions of iPhone and Android users do not only make simple errors can open your phone to attack.
It was the node of the NSA warning which was now made public and which was titled as a Signal vulnerability In the wake of Trump officials who inadvertently invite a journalist to a sensitive group cat. But this is not the case. It is user vulnerability. The notification of the NSA is a warning to modify the messaging parameters. Nothing more.
NSA warning last month was invited by Google threat intelligence group Discovering the Gru de Russia prompted Ukrainian officials to open access to their signaling accounts, allowing Russians to listen. It was not a signal defect – the application worked as planned. And it was not limited to the signal. Google has warned “this threat also extends to other popular messaging applications such as WhatsApp and Telegram”.
The two “vulnerabilities” relate to the signal and WhatsApp features which make them easier to use. Linked devices and group links. The first allows you to synchronize and access your secure messaging applications on all your eligible devices. The second provides you with a simple way to invite new members to a group conversation by sending them a link, rather than adding them one by one to the group.
The group’s liaison threat only extends to the group itself and is easily attenuated. In Signal, deactivate the group link from group settings. In WhatsApp, you do not have this option, but do not use links for sensitive groups; You must also define sensitive groups in WhatsApp so that only administrators can add members.
The option of linked devices is much more dangerous because it can establish a fully synchronized replica of your messaging application on someone else’s device. But again, this risk is easily attenuated. In both applications, there is a menu of clear parameters entitled “Linked devices”. Go there now and read any device that you do not recognize 100% as you belong. If in doubt, delete. You can always add it later if you make a mistake. On both applications, your main phone is the basis and all other devices can be linked and unrelated to it.
There is a turn to that. In the Russian attack, The invitation link of the signal group was diverted to link a device insteadVulnerability in the coding and mechanics of the invitation, but not the application itself. But there is no way for someone to connect a device without being manifested in your parameters above. The regular verification of these links is essential. It is also worth periodically unlocking the “web application” links of the browser (as opposed to applications) and releases it. The other advice is not to click on group links unless they are expected and you can guarantee the sender.
The other NSA messaging advice should be common sense. Define and change your application pin regularly and activate the screen locking. Do not share contact or status information, certainly not outside your contacts. The DOD agency also recommends keeping the phone and application contacts with separate contacts, although painful for daily use.
The concept of secure messaging is largely misunderstood. End -to -end encryption is a transmission backup. The content is blurred by your device and not recruited when it reaches a recipient. Each end (telephones in a cat) is vulnerable to a compromise of this device, to user saving content or to the bad guest in a group. None of these applications are the ball test if your other security is defective or if you make a mistake.
The NSA is not the only one to call signal as a title title when it comes to guaranteeing the commercial messaging platforms used by politicians and other officials. The American cyber-defense agency did the same as a result of the Hacks of Typhon Salted in China on American networks. “Use only encrypted communications from start to finish”, ” Cisa said. “Adopt a free messaging application for secure communications which guarantees end -to -end encryption, such as the signal or similar application.”
With an interesting timing, WhatsApp – the most popular secure messenger in the world, which uses the same signal encryption protocol and the signals itself – has just made it easier. IPhone users can now select WhatsApp as a default text and call application. The platform update that offers this new capacity takes place this weekend. In settings – Applications, select “Default applications” and modify the “messaging and” calls “options.
But again, this does not change the user / device vulnerability that will always leave a secure messaging in danger. “The biggest risk of listening to a signal conversation comes from the individual phones on which the application works,” explains Foreign policy. “Although it is not very clear if the American officials involved had downloaded the application on personal phones or issued by the government … Smartphones are consumption devices, not at all suitable for American government conversations.”
This is particularly acute, given that “an entire industry of spy software companies sells capacity to hack smartphones for any country willing to pay”. It was the forensic exploits that tormented iPhones and Androids this year. And so just as it is essential to apply the right messaging parameters, it is also essential to keep your phone up to date, avoid risky applications and stop click on unexpected links or attached pieces.
While Signal took most of the titles given the attack on the United States, in reality it is WhatsApp which is the much more important problem. “It’s a WhatsApp world at work now,” according to the Financial time“And it’s not always a good thing.”
As the newspaper reports, it spent the days “that you could leave [work] The applications to make a truck game all weekend, knowing that the Pingers asked them nothing more trying than the time at which to meet for coffee or if there was milk in the refrigerator. These days have left. Some time before Covid, office colleagues and work contacts began to send messages to applications once confined to social life. »»
And WhatsApp is very at the top of this list. Ironically, the only key market that was a holdout against him was the United States, where Imessage remained the dominant secure messaging platform. But even it changes now, with public meta-elebration via WhatsApp which spent 100 million American users last summer.
“At one point”, ” flight Underlines: “It no longer seemed to be doing whatsapp of his manager, then adding a thumbs up.
Ironically, Signalgate caused a sweet NAC between WhatsApp and Signal, which is the most secure application to exchange and keep secrets. “There are large differences between signal and WhatsApp”, signal boss Meredith Whittaker Published, after WhatsApp Boss, Cathcart, stressed that the two use the same basic encryption and could therefore be seen in the same support, despite the property of Meta.
“The signal is the gold stallion in private communications,” said Whittaker. “Whatsapp License in signal cryptography to protect the content of messages for the WhatsApp consumer”, although the same level of security does not apply to commercial communications. “Don’t get me wrong – we like WhatsApp uses our technology to raise the confidentiality bar of their application. Part of the signal mission is to define and encourage the technological ecosystem to meet, this high confidentiality bar. But these are key differences in significant confidentiality and that the public deserves to understand them. Marketing. “
But it is WhatsApp that we have to turn to the purest irony of this whole story. A few days before The Atlantic has published his shocking revelations about his listening to inadvertently on a government’s “Eyes Only” signal group, his rival platform published on X: “As administent, let the members of the group add other people to the cat?” Just that, nothing more. It is almost as if all the fury could have been predicted. Not that the one who really added journalist Jeffrey Goldberg was or was not a director, just that the risk of these group invitations is there and requires some attention.
The essential is however very simple. Whether whatsapp or signal, both are secure and recommended for use – if used correctly. Configure them badly – one of them, or neglect the telephone updates, the parameters and the secure use, and the two will fail. You can read the full advice of the NSA here. Be careful and make sure to keep your worktops, festive plans and even your secret war plans.