This week, security researchers have drawn attention to an interesting finding when using Signal applications across multiple platforms.
The security number is an application feature that helps users verify the security of their messages and calls with their contacts, and is generally expected to change when either party reinstalls the application or changes devices.
End-to-end encrypted messaging applications like Signal have a security feature called a “security number” or a “security code”, sometimes represented as a QR code.
You and each contact of yours on Signal share a unique Security Number (SN) that serves as the partner’s fingerprint and helps both contacts verify the privacy of your communications.
You or your contact can open the Signal app and tap on each other’s names. If you keep tapping “Verify security number”, you will see what the security number of your pair is.
The number is represented both in human-readable numerical form and in a QR code:
If the contact reinstalls the messaging app, switches to a new phone, or changes the phone number, security number, and QR code are expected change.
Or, at least, that’s what the Signal documentation said until last month:
“The most common scenarios where a security number prompt is displayed when a contact switches to a new phone or reinstalls the signal. However, if a security number changes frequently or unexpectedly, it may be a sign that something is wrong, “read the Signal report. archived documentation, as of May 22, 2021.
But, security researchers Kelly kaoudis, John jackson, Disease codes, Y Robert Willis he discovered, when installing Signal on a new device and transferring his account, the security number of his contacts and they did not change. And contacts were not alerted to any security number changes either.
In Kaoudis’s case, the investigator was surprised to learn that the security number for her and her contact remained unchanged.
Additionally, the researchers tested this behavior on multiple platforms that are currently supported by Signal, including Linux, OSX, Android, iOS, and Windows, and claim that the security numbers would not always change between them after removal and reinstallation of the Signal app, or when to switch to a different device.
In BleepingComputer testing, uninstalling and reinstalling the Signal app on Android and iOS devices it rebooted the security number and contacts were notified of the security number change.
As such, the Bleeping Computer was unable to reproduce the issues described in the researchers report.
“In mid-May, I got a new phone. At that time I understood it with any change Upon device or installation of either party in a chat with message history, the Signal chat security number changes. “
Since their report of this issue to Signal, investigators claim that the issue was mysteriously resolved, claiming that Signal deployed patches who believe they were responsible for solving the problem.
“The most common scenarios where a security number prompt is displayed when a contact switches to a new phone or reinstalls the signal, but these actions do not always result in a security number change.“
To better understand the issue, Bleeping Computer reached out to Signal and specifically asked under what circumstances do security numbers change and when they don’t.
Signal has told Bleeping Computer that no changes have been made to the source code regarding security numbers.
Signal VP of Engineering Jim O’Leary further states that recent updates were part of normal maintenance updates and explains why security numbers may not change in all circumstances.
Secure your communications with Signal.