WebRTC DNS lookups exploited in clever hack

Signal app in the App Store

Signal has patched a security weakness in the mobile messaging app that created a potential mechanism for attackers to discover a targeted user’s approximate location.

The flaw — discovered by security researchers at Tenable — affected both iOS and Android and involved the mobile messaging app’s handling of domain name system (DNS) server requests.

Paging Signal

Signal uses its own fork of WebRTC (Web Real-Time Communication) to set up voice or video calls with remote peers.

Tenable discovered this technology was exploitable not because of an issue in Signal’s core code, but due to how Signal’s WebRTC library makes DNS requests during the process of connecting calls.

David Wells, senior research engineer at Tenable, explained: “It's not an issue within Signal’s code but the WebRTC library having some obscure features that can be abused depending on how the library is used. It's very possible that other calling apps have a similar type of issue.

“Revealing a Signal user’s DNS server can potentially reveal coarse location and in instances such as Google Public DNS and others, this attack can narrow the location down to the Signal user’s city due to usage of EDNS Client Subnet.”

Wells told The Daily Swig: “It was a small oversight in the quirks of the WebRTC. Since my initial disclosure, the Signal team has reached out to Chromium and submitted a proposed patch. These discussions are ongoing.”

The appeal of Signal, which has won plaudits from privacy champions like Edward Snowden and Bruce Schneier, is built on its prioritization of privacy and security.

Therefore any security weaknesses with its technology, even a minor slip-up as in this case, is nonetheless noteworthy.

Other messaging apps could be vulnerable to similar problems, although this remains unconfirmed.

Coarse geolocation by calling

Exploiting this security weakness would simple involve calling any Signal user and analyzing clues from the resulting call setup traffic in order to reveal a user’s approximate location, down to a region or in some cases, city.

“This vulnerability allows anyone with a person’s Signal phone number to dial their phone number and obtain coarse location information at any time,” said Wells.

“The call does not need to be answered, and location information can range from ~400-mile radius down to the exact city, depending on DNS using EDNS Client Subnet, which is not uncommon throughout a typical user’s phone usage.

“Other scenarios could involve detecting switches in ISP, which would indicate if someone is ‘at home’ or ‘at work’, for example.”

The minor security shortcoming is of no concern to the vast majority of Signal’s user base. This flaw did however pose a risk for particularly vulnerable individuals, such as activists and journalists in operating in oppressive regimes, as well as people in hiding from abusive partners or in a witness protection program.

According to Tenable, the affected Android versions are Signal v4.59.0 and up, while for iOS the affected WebRTC update was introduced in 3.8.0.34. The best course of action is to update to the patched version of Signal, Tenable advises.

The Daily Swig is yet to hear back from Signal’s developers for comment on Tenable’s research. We’ll update this story as more information comes to hand.


RELATED XSS vulnerability uncovered in Google Voice browser extension