Security Experts:

Signal PINs Allow Users to Recover Data When Switching Phones

Encrypted messaging service Signal has announced the introduction of a new feature that allows users to recover their data if they switch to a new device.

Offering end-to-end encrypted conversations, Signal was built by default in such a manner that users’ information is always kept private and never sent to a server. What this means is that, if a user’s phone is lost or stolen, the data cannot be retrieved.

The new feature, Signal PINs, is based on Secure Value Recovery, which the company introduced in December, and is meant to help users import data such as profile, settings, and blocked users when switching to a new device.

Signal has been working on adding new features recently, such as the ability to chat with contacts that aren’t saved in an address book, and some of the data might be lost forever.

With the introduction of PINs, Signal wants to change that, to help users transfer some data to a new device if needed, and to facilitate new addressing that isn’t based on phone numbers (users will no longer rely solely on the address book to maintain a network of contacts).

The Signal PINs will be at least 4 digits, with longer PINs and alphanumeric codes also supported.

“Because Signal doesn’t have access to your keys – or your data – your PIN isn’t recoverable if you forget it, so our apps help you remember your PIN with periodic reminders. Don’t worry, these reminders get less frequent over time,” Signal says.

This week, Signal also addressed a vulnerability in its service, which could have allowed attackers to identify a user’s DNS server by ringing their Signal number.

Tracked as CVE-2020–5753, the issue exists because WebRTC is doing DNS requests, and does not reside in the Signal code itself, meaning that other messaging applications might be impacted as well, Tenable security researcher David Wells, who discovered the bug, explains.

What he discovered was that, although Signal does not share users’ IP addresses, WebRTC’s use of “signaling” to identify a valid connection path for communication between peers could be abused to force a DNS lookup when the target’s phone is ringed, before the Signal user answers the call.

The vulnerability was addressed with the release of version 4.59.11 of Signal Messenger for Android, and version 3.8.4 of Signal for iOS.

Related: Signal Rushes to Patch Serious Eavesdropping Vulnerability

Related: WhatsApp Defends Encryption as It Tops 2 Billion Users

Related: Secure Messaging Applications Prone to Session Hijacking

view counter