Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Signal PINs Allow Users to Recover Data When Switching Phones

Encrypted messaging service Signal has announced the introduction of a new feature that allows users to recover their data if they switch to a new device.

Encrypted messaging service Signal has announced the introduction of a new feature that allows users to recover their data if they switch to a new device.

Offering end-to-end encrypted conversations, Signal was built by default in such a manner that users’ information is always kept private and never sent to a server. What this means is that, if a user’s phone is lost or stolen, the data cannot be retrieved.

The new feature, Signal PINs, is based on Secure Value Recovery, which the company introduced in December, and is meant to help users import data such as profile, settings, and blocked users when switching to a new device.

Signal has been working on adding new features recently, such as the ability to chat with contacts that aren’t saved in an address book, and some of the data might be lost forever.

With the introduction of PINs, Signal wants to change that, to help users transfer some data to a new device if needed, and to facilitate new addressing that isn’t based on phone numbers (users will no longer rely solely on the address book to maintain a network of contacts).

The Signal PINs will be at least 4 digits, with longer PINs and alphanumeric codes also supported.

“Because Signal doesn’t have access to your keys – or your data – your PIN isn’t recoverable if you forget it, so our apps help you remember your PIN with periodic reminders. Don’t worry, these reminders get less frequent over time,” Signal says.

This week, Signal also addressed a vulnerability in its service, which could have allowed attackers to identify a user’s DNS server by ringing their Signal number.

Tracked as CVE-2020–5753, the issue exists because WebRTC is doing DNS requests, and does not reside in the Signal code itself, meaning that other messaging applications might be impacted as well, Tenable security researcher David Wells, who discovered the bug, explains.

What he discovered was that, although Signal does not share users’ IP addresses, WebRTC’s use of “signaling” to identify a valid connection path for communication between peers could be abused to force a DNS lookup when the target’s phone is ringed, before the Signal user answers the call.

The vulnerability was addressed with the release of version 4.59.11 of Signal Messenger for Android, and version 3.8.4 of Signal for iOS.

Related: Signal Rushes to Patch Serious Eavesdropping Vulnerability

Related: WhatsApp Defends Encryption as It Tops 2 Billion Users

Related: Secure Messaging Applications Prone to Session Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.