- Telegram, Whatsapp and Signal vulnerable to session hijacking, using side channel attacks.
- Attackers can create a shadow session to spy on or impersonate the victim.
Ever since the origin of the internet, messaging apps have been one of the most widely used classes of online products. On the other hand, they have also been a prime target for cybercriminals to execute a wide variety of attacks.
The cyber threats, as well as government surveillance in some cases, created the need for secure messaging apps, which provide end-to-end encryption as a key feature. However, even the so-called secure messaging apps like Telegram, Whatsapp and Signal are not up to the mark when it comes to protecting their users' confidential data.
An attacker can execute side-channel attacks, which exploit a vulnerability in the mobile operating system where these apps are installed, according to Cisco Talos researchers.
Issues with secure messaging
In order to provide end-to-end encryption, most messaging apps use either the MT protocol (developed by Telegram) or the Signal protocol (developed by Open Whisper Systems) or a variation of either one of these protocols.
However, attackers can rely on many other attack vectors, such as the UI framework, file storage model, and group enrollment. One such example was the vulnerability CVE 2018-1000136 found in the Electron framework, which is used by Whatsapp and Signal to build their UI.
The encryption protocols can keep communications private while transmitting between two devices but cannot secure the data while processing or when it is received by the user's device. The group enrollment mechanism can also become an attack vector as seen recently in a Whatsapp vulnerability.
As always, many end users who are not aware or educated about these kinds of threats can also end up taking actions which jeopardise their own privacy and security. Security features and implementations can also vary from platform to platform, meaning a 'secure' app could be vulnerable on a certain platform.
Different session hijacking attacks
In May 2018, Talos reported about a malware named Telegrab, capable of hijacking Telegram sessions. An attacker could use locally stored session tokens from a desktop Telegram user to create a shadow session.
The researchers determined that Telegram is vulnerable to both desktop and mobile session hijacking. On the desktop, users are more vulnerable as stealing session tokens on a desktop is easier as compared to a mobile phone. Telegram does not give any warning to a user when an attacker creates a shadow session. This means that the victim is unaware of an ongoing attack unless the victim digs deep into the app settings.
The average user is highly vulnerable in this case. On the mobile app, an attacker can read all messages and contacts until the victim explicitly terminates the shadow session.
Apart from this, on Android, a malicious application with “read SMS” and “kill background process” permissions could create a shadow session without any actions from the user. The malicious application can exploit the backup mechanism of Telegram’s registration process.
Signal, which is very popular among people dealing with confidential information, is also vulnerable to session hijacking. In Signal, session creation works as a race condition, which means that an attacker will need to beat the user in creating his sessions, using stolen session tokens. On the desktop, users get an error message but on the mobile phone, the malicious activity would go unnoticed.
Furthermore, a hacker, after gaining access, could delete the user’s original session to prevent him/her from receiving any alerts regarding the malicious activity. Once the attacker gets access to the victim’s messages and contacts, it is very hard for a victim to identify the hacker’s impersonation.
The most widely used messaging app, Whatsapp, is also not entirely safe from desktop session hijacking, even though it does alert users when an attacker tries to create a shadow session. The flaw, in this case, is that if the user is away from their desktop when the warning pops up or if the user takes some time to act on the warning, it gives the attacker a short window within which they can access all the contacts and previous messages.
This kind of session hijacking was predicted by the Signal developers while building the Sesame protocol - their session management protocol. In their security considerations, they stated, “Security is catastrophically compromised if an attacker learns a device's secret values, such as the identity private key and session state.”
Although, end-to-end encryption prevents loss of information while in transit, secure messaging apps need to do a better job when it comes to protecting application state and user information.