Issue #2 — Hackers and honeypots
A newsletter about tech, people and human rights
Framed by OPTF is a newsletter about tech, people, and human rights. We dive into real-world tech issues that are impacting people’s rights, share our thoughts about digital privacy and security, and re-imagine the way we think about tech-for good.
Last time we spoke about how Australian climate protesters were being targeted by harsh cyber-restrictions. Well, once again we’ve got cyberattacks being used to target specific people — but this time it’s technical, not legal. In a situation that is still developing as I write this, (currently) unknown hackers were able to gain control of Motherboard writer Lorenzo Francheschi-Bicchierai’s Signal account in what appears to be a targeted attack.
Here’s what we know so far 👇
🚫Hackers and the honeypots
At the moment Signal is pretty much the de-facto messaging app for anyone who wants to communicate securely. Journalists, human rights defenders, and just regular people who are thinking twice about Meta’s WhatsApp have been signing up for Signal in big numbers over the last couple of years. Signal offers cutting-edge security features and encryption schemes which have pushed the entire world of secure messaging forward — the Signal protocol has been implemented in popular apps like WhatsApp, Messenger, and Skype (although Skype and Messenger have encryption off by default).
But Signal does have one major weakness: phone numbers. Users have long lamented the requirement for a phone number to register, re-register, and contact people on Signal. This leaves users open to phone number-based leaks, like when Mark Zuckerberg was outed as a Signal user last year.
Signal isn’t alone here, signing up to services using a mobile number has become the norm. You know the drill — you enter your number into a form, then you receive an SMS with a code, which is adequate authentication to add you as a user to the service. Signal does it. Telegram does it. Facebook does it. Even the platform used to order a round of drinks at the local bar does it. It’s simple, easy and frictionless. But is it safe and secure?
Well, until last week not many people seemed too concerned about it. But after Twilio, a company that provides SMS-based services, including authenticating users through SMS, was hacked — there’s a need for us all to think twice about how services that use our mobile numbers for logging in and/or authentication may be vulnerable.
Twilio has over 150,000 corporate clients, and the hackers accessed data belonging to 125 of them. One of those clients was Signal — who reported last week that data from 1,900 of their users had been stolen.
Signal being Signal, they have serious security features and clever architecture to protect user data even in breaches like this — things like message history, block lists, and contact lists were safe. Phew. But other apps wouldn’t be so lucky.
In the Twilio hack, the attackers targeted 3 specific Signal users, and managed to re-register one account to a malicious device. This was the account of Lorenzo Franceschi-Bicchierai, whose account was under the control of the hackers for around 13 hours. During those 13 hours, the hackers would have been able to impersonate Lorenzo — sending and receiving messages to other users on Signal using his account. Signal does have a feature to protect against this kind of attack—registration locking—but Lorenzo wasn’t using it when the hackers came knocking — a lesson in the importance of having security- and privacy-preserving features enabled by default.
We are Signal fans. The app has helped many people feel more secure, and it’s got infinitely more security integrity than Zuck’s Whatsapp or FB Messenger. And Session — the private messaging app we’ve built — was a fork of Signal. But Session has one significant differentiator: it's designed from the bottom-up to be metadata-less. That is, there is no requirement to tie your mobile number or any other piece of identifiable information to use the app.
The hacking will no doubt continue, and honeypots like Twilio will keep on being targeted. We need to remind people to be extra cautious when using services that ask for your mobile number or even your physical address.
We don’t want to use this moment as a “we told you so” opportunity, but we feel it’s our responsibility to remind people who require the highest level of digital privacy and security that they should be weary of using communications apps or any other digital service that requires a mobile number as part of their sign up process.
OPTF Housekeeping
New posts and videos
Kee Jefferys and Alex Linton spoke to a number of privacy enhancing tech (PET) researchers while they were at the recent PET Symposium. Here’s three to check out:
World Ethical Data Forum 2022
OPTF and Session are proud to support this year’s WEDF - happening in late October. We’ll be participating in the forum, and encourage you to register here.
Research
If you are interested in research related to digital safety practice and internet freedom in South and Southeast, specifically looking at Cambodia, Indonesia, Maldives, Nepal, the Philippines and Sri Lanka. Through The Looking Glass: Digital Safety and Internet Freedom in South and Southeast Asia was released in July, and you can download it here.
Other updates
● Join the Session email newsletter to receive the latest updates and information about new features.
● Join the Oxen email newsletter to get our monthly wrap updates on our products, and what others are saying about our work.
● If you are more technically oriented, then check out our development updates for the latest bug fixes and technical updates of our products.
As usual, we’d love your feedback on what we do at OPTF.
Stay safe everyone! Until next time,
The OPTF Team