A vulnerability in the secure messaging app Signal could let a bad actor track a user’s location, according to findings from cybersecurity firm Tenable.
Researcher David Wells found that he could track a user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity.
There are two aspects to the vulnerability, Wells said. One is that if two Signal users have each other as contacts, it’s possible for them to determine each other’s location and IP address by calling, even if the person being called doesn’t answer the phone.
“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact,” Wells said. “That’s kind of odd.”
It turns out that even if you don’t have a person in your contacts list, they can still roughly determine your location just by calling you on Signal. This works even if you don’t pick up or see the call.
“Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number,” Wells said. It turns out that’s enough for the caller to see what DNS server your phone automatically connects to. “Usually, it’ll be somewhat near you,” Wells continued. “So I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location.”
“The core of the issue is that you’re helpless,” Wells said. Simply by calling your phone, which you can’t control, a threat actor could determine your general location.”
“It’s not like clicking on a link [as in phishing],” he said. “Anyone can do this to you.”
Signal has not yet responded to questions from Digital Trends about whether this patch will be included in the next app update, but Wells told Digital Trends that he heard the team was working on it.
Signal recently announced it would be rolling out PIN numbers for people to use instead of phone numbers, which may help plug the security hole.
The vulnerability also has limitations. The method isn’t 100% reliable; at one point, Wells called an associate in Pennsylvania as an experiment, and the associated DNS server that responded was 400 miles away in Toronto.
“It’s very coarse,” Wells admitted.
The researcher also wasn’t able to determine a person’s specific address, for example. But when a callee’s phone connected to certain servers, he was able to see clearly what city they were in and track their daily movements.
“We’re not cracking Signal’s encryption or saying don’t use Signal. The sky isn’t falling,” he said. “But for a certain subset of people, this is going to be a problem.”