US NSA alerts iPhone, Android users to vulnerability in messaging apps – Charm

The US National Security Agency (NSA) has issued a crucial warning to iPhone and Android users, highlighting the risks associated with secure messaging apps.

While these apps are generally secure, their safety is only as strong as the user’s behavior. Millions of users unknowingly make simple mistakes that can expose their phones to attacks, News.Az reports, citing Forbes.

That was the crux of the NSA’s warning that has now been made public and which has been headlined as a Signal vulnerability in the wake of Trump officials inadvertently inviting a journalist onto a sensitive group chat. But it’s not. It’s a user vulnerability. The NSA notification is a warning to change messaging settings.

The NSA warning last month was prompted by Google’s Threat Intelligence Group discovering Russia’s GRU was tricking Ukrainian officials into opening access to their Signal accounts, allowing the Russians to listen in. This wasn’t a Signal flaw — the app was working as intended. And it wasn’t limited to Signal. Google warned “this threat also extends to other popular messaging applications such as WhatsApp and Telegram.”

The two “vulnerabilities” relate to features in both Signal and WhatsApp that make them easier to use. Linked Devices and Group Links. The first enables you to sync and access your secure messaging apps on all your eligible devices. The second provides a simple way for you to invite new members into a group chat by sending them a link, rather than adding them one-by-one from within the group.

The Group Link threat only extends to the group itself, and is easily mitigated. In Signal, disable the Group Link from within the group’s settings. In WhatsApp you don’t have that option, but do not use links for sensitive groups; you should also set sensitive groups in WhatsApp such that only Admins can add members.

The Linked Devices option is much more dangerous as it can establish a fully sync’d replica of your messaging app on someone else’s device. But again this risk is easily mitigated. In both apps there is a clear settings menu entitled “Linked Devices.” Go there now and unlink any device you don’t 100% recognize as belonging to you. If in doubt, remove. You can always add it back later if you make a mistake. On both apps, your primary phone is the base and all other devices can be linked and unlinked there.

There is a twist to this. In the Russian attack, the Signal group invite link was hijacked to link a device instead, a vulnerability in the invite coding and mechanics, but not the app itself. But there is no way for someone to link a device without it showing in your settings per above. Regularly checking those links is key. It’s also worth periodically unlinking browser “web app” links (as opposed to apps) and relinking. The other advice is to not click group links unless they’re expected and you can vouch for the sender.

The NSA’s other messaging advice should be common sense. Set and regularly change your app PIN and enable the screen lock. Do not share contact or status info, certainly not outside your contacts. The DOD agency also recommends keeping phone and app contacts a separate, albeit that’s painful for everyday use.

The concept of secure messaging is widely misunderstood. End-to-end encryption is a transmission safeguard. Content is scrambled by your device and unscrambled when it reaches a recipient. Each end (phones in a chat) is vulnerable to a compromise of that device, a user saving content, or the wrong person invited into a group. None of these apps are bulletproof if your other security is flawed or you make a mistake.

NSA is not alone in calling out Signal as the headline act when it comes to secure commercial messaging platforms used by politicians and other officials. America’s cyber defense agency did the same in the wake of China’s Salt Typhoon hacks on U.S. networks. “Use only end-to-end encrypted communications,” CISA said. “Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar app.”

With interesting timing, WhatsApp — the most popular secure messenger worldwide, which uses the same Signal encryption protocol and Signals itself — has just made that easier. iPhone users can now select WhatsApp as their default texting and calling app. The platform update that delivers this new capability is rolling out this weekend. In Settings — Apps, select “Default Apps” and change “Messaging and “Calls” options.

But again, that doesn’t change the user/device vulnerability that will always leave secure messaging at risk. “The biggest risk of eavesdropping on a Signal conversation comes from the individual phones that the app is running on,” says Foreign Policy. “While it’s largely unclear whether the U.S. officials involved had downloaded the app onto personal or government-issued phones… smartphones are consumer devices, not at all suitable for classified U.S. government conversations.”

This is especially acute given that “an entire industry of spyware companies sells capabilities to remotely hack smartphones for any country willing to pay.” These are the forensic exploits that have plagued iPhones and Androids this year. And so just as it’s critical to apply the right messaging settings, it’s also critical to keep your phone updated, to avoid risky apps, and to stop clicking on links or unexpected attachments.

News.Az

Source link

Visited 1 times, 1 visit(s) today

Leave a Reply Cancel reply

Related News

Tesla is about to lose the $7,500 EV tax credit – again – and this time the cliff is a lot steeper

Cellphones banned in Kentucky classrooms, districts will set their own policies | Education