Open Whisper Systems announced this week that it’s working on a new private contact discovery service for its privacy-focused communications app Signal.
Signal has become highly popular with individuals who value their privacy, and it was recently approved even by the U.S. Senate for official use by staff members.
While communications through Signal are protected against both hackers and government snooping, there is one feature that can still be improved from a privacy standpoint, namely contact discovery.
Currently, when a user signs up for Signal, the phone numbers in their device’s address book are compared to entries in a database on Open Whisper Systems servers to determine which contacts use the messaging app. While the verification relies on truncated SHA256 hashes of the phone numbers and not cleartext data, these hashes can in most cases be cracked.
In theory, this should not be a problem as Open Whisper Systems does not log contact discovery requests and makes the Signal source code publicly available in order to prove it. However, there is always the possibility that someone – including hackers or a government agency – modifies the code on Signal servers and starts logging contact discovery requests.
In order to prevent this, Signal developers have been trying to find a way to implement truly private contact discovery. The solution seems to lie in Intel’s Software Guard Extensions (SGX) technology.
Intel SGX allows application developers to protect certain pieces of code and data from disclosure or modifications by placing them in a secure area of execution in the memory called an “enclave.”
Signal developers have been working on running a contact discovery service in such an SGX enclave. When the client performs contact discovery, encrypted identifiers from the address book are transmitted over a secure connection directly to the enclave running the discovery service. The service looks up the contact information in the database of registered users and the results are sent back to the client in an encrypted form.
Another important security feature provided by SGX is that it supports what is called “remote attestation.” Remote attestation allows the client to ensure that the code running in the enclave is as expected – in Signal’s case, it ensures that the code from the enclave is the same as the source code made public by Open Whisper Systems.
“Since the enclave attests to the software that’s running remotely, and since the remote server and OS have no visibility into the enclave, the service learns nothing about the contents of the client request. It’s almost as if the client is executing the query locally on the client device,” explained Moxie Marlinspike, the founder of Open Whisper Systems.
While this sounds like a straightforward process, there are many challenges that Signal developers need to overcome. The private contact discovery service is currently a beta technology preview, but Open Whisper Systems hopes to have it integrated into clients in the next few months.
In the meantime, the source code for the private contact discovery service can be analyzed by anyone.
The use of Intel’s SGX technology can have many benefits, but researchers demonstrated recently that it can also be abused for malicious purposes. A team from an Austrian university showed in March that malware running on SGX can attack the host and extract RSA private keys.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
Latest News
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
