Signal threat modeling

In this blog post I will explore what telecommunication companies (telcos) are able to observe in terms of metadata and content when using or not using Open Whisper Systems’ Signal. Special thanks to John Brooks for content editing.

Introduction

Telecos, globally, for over a hundred years, have had various data retention policies that include metadata and content collection and storage (information seizure). In the United States, the Communications Assistance for Law Enforcement Act (CALEA) was enacted specifically to enhance electronic surveillance. Anything the telecos can see and store, intelligence agencies and law enforcement have the ability to obtain too, often in real-time (information search). Intelligence agencies store this information for much longer than telcos because of the monetary costs to store your private information. Within the Snowden revelations, top secret documents make clear that as much information as possible is collected depending on company/agency capacity and technical capability.

The mobile devices that you use contain a huge swath of information about you. They also contain a huge swath of information about the people that you communicate with. In each of the scenarios that I explore below, I’ll be breaking down my exploration into two high-level categories; device vulnerabilities, which can alternatively be thought of as “data at rest”. The second high-level category is infrastructure threats, which can alternatively be thought of as “data in motion”.

Target audience

Journalists, lawyers, activists, and domestic violence survivors are all example populations that have a choice. They can either attempt to learn somewhat technical material and self-empower their decisions about the technology that they use or don’t use, or they can further trust other people to make those decisions for them. It is my opinion that vulnerable populations that are direct victims of surveillance should put more effort into learning technical material. It is unethical for me to make all information and operational security decisions for my students. It is also my opinion that technical educators like me have a responsibility to help bridge any gaps in learning.

Summary

Standard SMS and standard voice calls leave you vulnerable to device and infrastructure exploits (information seizure) for both content and metadata. Once installed, Signal, for Android, handles SMS which is the same in transport as standard SMS, but message content is better protected on the device. Signal can not protect standard voice calls.

Signal manages both encrypted IMs and encrypted voice calls. When you use encrypted IMs and encrypted voice calls, your message content is protected against device and infrastructure exploits. Metadata is protected against infrastructure exploits when you use encrypted IMs and encrypted voice calls, but metadata on the device is still somewhat vulnerable.

Understanding the visual models

phone-basestation
The column and row -based models shown below, one model per scenario, were made to help illustrate the different phases of text/voice communications through telco networks and other related risks.

Asset

The messages that you send people (data in motion) contain two very important things. These two things are your assets: participant metadata and message content. These two assets have to traverse your telco network and the telco network of your friend in order to work the way you expect them to. Each of the two assets is uniquely vulnerable depending on your choice of communication technologies.

The adversaries to your assets are the people who want to illegally or unethically copy your assets for themselves. Your threats are the infrastructure technologies which your adversaries have designed and control.

Device

Your messages must be generated and stored (data at rest) on your mobile device in a messages database. In order to reliably send people messages, you have a third asset that must be protected: your contacts database. It is possible that your teleco has pre-installed software on your phone that has access to your stored assets. Other common threats to data confidentiality include social media applications and syncing applications that make a copy of your messages and contacts and stores them on someone else’s servers.

Infrastructure

When you want to communicate with someone, your device has to send your messages across various infrastructure technologies to reach the person whom you wish to communicate with. I will not be going to great depth into each of the phases of telco network traversal. It is not important given the Open Whisper Systems crypto tools that you have available. What is important to understand is that if you’re using AT&T and your friend is using Verizon, messages have to traverse two completely different sets of infrastructure. When you send a single message to someone, it is likely that three different adversaries are able to copy your assets. Each adversary has completely different data retention policies, laws, and ethics.

SMS communication scenarios

Scenario 1

SMS2SMS-1
1. You send an SMS on your cell network without Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Participant metadata and message content

1.1. Device vulnerabilities: message databases and contact databases are, by default, easily accessible to other applications installed on your mobile devices. Social media apps, message sync apps, etc, will copy these databases and put them unsafely on servers that you have minimal control over. Specifically, regarding SMSs and IMs, these companies that store your private information can observe who you talk to and when. Companies like Facebook want to know everything they can about you. Companies like Apple and Google want to make backups easy and seamless, but they store your information in such a way that they can make it available to law enforcement.

1.2. Infrastructure threats: SMS is only encrypted between your mobile device and the cell tower. At no other point in the message’s traversal to the delivery cell tower is it encrypted in such a way that a network operator or intelligence agency cannot access it. Your information was designed to be exploited when using these systems as-is. 2G/3G/4G encryption standards largely protect cellular network communication from local eavesdroppers, but those standards are weak.

Scenario 2

TS2SMS-1
2. You send an SMS on your cell network with Signal to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

From Open Whisper Systems: “Signal does not store its encrypted database in a location that other applications are allowed to access. Android features support for isolated storage, and Signal takes advantage of this functionality. Memory contents are also protected, and recent versions of Android include ASLR which makes manipulating memory contents (or predicting the location of stored material) even more difficult.

Having said that, users should still choose strong passphrases to properly protect their message contents if their phone gets lost or stolen.”

Participant metadata and message content

2.1. Device vulnerabilities: While the message database is protected on your mobile device when Signal is managing said database, the contacts database is not. Apps can and will read or copy your contacts database unless you take additional protections to block apps from doing so. Copying your contacts database will not reveal who you necessarily communicate with, but it does show who you can communicate with and who you’ve likely communicated with. Database security presumes that your mobile device is free from existing malicious software.

2.2. Infrastructure threats: All participant metadata and message content infrastructure threats are identical to scenario 1.2.

Communication scenarios with Signal

Scenario 3

TSS2TSS-2
3a. You send an IM on your cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

3b. You make a Signal call on your cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

On transport security, see Open Whisper Systems Is it secure? Can I trust it?

Participant metadata

3.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

3.2. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the participant metadata of messages is protected from all aspects of “data in motion”. However, Deep Packet Inspection (DPI) by any infrastructure intermediary is capable of identifying the fact that traffic is encrypted. DPI can also fingerprint the encrypted traffic to the degree that adversaries might be able to identify you as a Signal user. This alone would not allow a teleco to know whom you communicate with. A global adversary like Five Eyes (FVEY) may be able to identify who you communicate with by fingerprinting the type of encryption and network timing analysis. This should concern you if you’re a journalist talking to a source or vice versa.

Message content

3.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

3.4. Infrastructure threats: When using Open Whisper System’s end-to-end encryption, the content of messages is protected from all aspects of “data in motion”.

Scenario 4

TSS2TSS-1
4a. You send an IM on your Wi-Fi with Signal to a friend who receives the IM on her Wi-Fi with Signal, or vice versa.

4b. You make a Signal call on your Wi-Fi to a friend who receives the call on her Wi-Fi with Signal, or vice versa.

Note:

Scenario 4 is nearly identical to scenario 3, except that the transport infrastructure has changed, which means the specific adversaries have, too. Conceptually, the technical threats and vulnerabilities are the same.

Participant metadata

4.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

4.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

4.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

4.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Scenarios with IMSI catchers

IMSI-catchers come in many different names and capabilities. There is even a Free and Open Source Software (FOSS) version called OpenBTS that allows amateur or professional hackers to exploit the weaknesses of cellular networks. Infosec Institute made a decent guide. They all pose an abundance of threats to you and your assets.

IMSI catcher capabilities:
  1. Passively or actively extract identifiers of cellular devices such as IMSI, ESN, and MEID numbers.
  2. Passively or actively track physical locations and movements.
  3. Actively perform Denial of Service (DoS) attacks that would prevent the cellular device from connecting to a cellular network. Targeted DoS attacks can also force cellular devices to use older wireless technologies (2G or 3G) which use weaker encryption or no encryption depending on the cellular network configuration.
  4. Actively perform Man in the Middle (MitM) attacks to eavesdrop on all forms of cellular communications: SMS, voice, or data.
  5. Actively exploit baseband processors, allowing the adversary to deploy malicious software onto to the cellular device.

There is no indication that local law enforcement perform capabilities #3 or #5. However, intelligence agencies and well-funded groups are capable of such operations. It is very important to understand who your actual adversaries are in order to apply any notion of risk (threat + vulnerability).

Scenario 5

SMSIC2SMS-1
5. You send an SMS without Signal via your compromised cell network to a friend who receives the SMS on her cell network without Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata and message content

5.1. Device vulnerabilities: All participant metadata and message content device vulnerabilities are identical to scenario 1.1.

5.2. Infrastructure threats: SMS is likely not encrypted at all or the IMSI catcher was able to Man-in-the-Middle the encryption between your mobile device and the cell tower. At no point in the message’s traversal to the delivery cell tower is the message protected in any way. The IMSI catcher operator, cellular network operator, and/or intelligence agency can access the messages.

Scenario 6

TSSIC2TSS-1
6a. You send an IM on your compromised cell network with Signal to a friend who receives the IM on her cell network with Signal, or vice versa.

6b. You make a Signal call on your compromised cell network to a friend who receives the call on her cell network with Signal, or vice versa.

Note:

When IMSI catchers are in use, there is a higher probability of device exploitation if you are the target of the operator. Mobile device databases could be extracted, key-logging software or voice and visual recording software might be installed that will jeopardize existing and future conversations.

Participant metadata

6.1. Device vulnerabilities: All participant metadata device vulnerabilities are identical to scenario 2.1.

6.2. Infrastructure threats: All participant metadata infrastructure threats are identical to scenario 3.2.

Message content

6.3. Device vulnerabilities: All message content device vulnerabilities are identical to scenario 2.1.

6.4. Infrastructure threats: All message content infrastructure threats are identical to scenario 3.4.

Related adversaries + threats not discussed

  1. Intelligence agencies, companies with lots of money to spend with grudges, and global surveillance adversaries that have the ability to pin-point your mobile device and perform one-time or persistent malicious activity.
  2. Technical threats or adversaries posed by IMSI catchers are the same when connecting to your normal cell network, but the probability of exploitation may not be the same.
  3. MitM attacks, similar to IMSI catchers, can also be performed on Wi-Fi networks; technical exploitation might be different, but outcome of exploitation might be the same.
  4. Mobile devices that have already been compromised either intentionally or accidentally.
  5. Can you think of one?

Conclusion

This is the style of guide that people like journalists, activists, and lawyers need. It borders on specific technical details without getting into too many details. It is also the style of guide that needs regular maintenance (research, Q&A, feedback, editing, administration). This guide demonstrates the need of journalists, activists, and lawyers to become educated in certain areas of technological advancement.

I hope that this has proven useful to you. If you liked this blog post, tell your friends about it and talk to them about it. Talk about encryption. Talk about surveillance. People need to talk about this stuff. If you have any questions, concerns, or constructive feedback for me, please email me.

Glossary

2G/3G/4G: cellular teleco technologies that allow your cellular mobile device to talk to telco networks.

802.11 a/b/c/n: “Wi-Fi”

Android: Google’s mobile device operating system.

Asset: Something that is important to you.

BTS: See: “Base transceiver station” on Wikipedia.

IM: Instant Message. Think: AOL instant messenger or MSN instant messenger. Signal is capable of sending IMs to mobile devices using Internet data.

IMSI catcher: a device that can be used to maliciously intercept, alter, or deny your cellular network communication. It is commonly used by law enforcement, private police, private investigators, or hackers. See “IMSI-catcher” on Wikipedia.

iOS: Apple’s mobile device operating system.

ISP: Internet Service Provider. This might be your home ISP or the ISP of a coffee shop that you’re using.

Message content: the content of an SMS or IM.

Participant metadata: Any aspect of people and the communications between people. This could include, but is not limited to, who is communicating, when, for how long.

Signal: The open source application made for iOS by Open Whisper Systems. See: Notes for Signal

SMS: Short Message Service. A “text”. You usually send these to people with your phone, limited to 160 characters per message.

SMS-SC: See: “Short message service center” on Wikipedia.

SS7: See: “Signalling System No. 7” on Wikipedia.

Telco ISP: the ISP of your cellular telco network provider. It could be that your cellular network provider is also its own ISP.

Threat: A person, place, or thing that is likely to cause damage or danger to your assets.

Vulnerability: A person, place, or thing that is unable to withstand the effects of a hostile environment.

WAP: Wireless Access Point. It provides Wi-Fi.