The recent Twilio hack raises important questions about the vulnerability SMS-based verifications – where users receive an SMS with special code to verify or confirm that they have access to a mobile number used to register to a service. In OPTF’s latest Framed newsletter, we explore the Twilio hack and the vulnerability of using SMS to authenticate users.
Hackers and the honeypots
At the moment Signal is pretty much the de-facto messaging app for anyone who wants to communicate securely. Journalists, human rights defenders, and just regular people who are thinking twice about Meta’s WhatsApp have been signing up for Signal in big numbers over the last couple of years. Signal offers cutting-edge security features and encryption schemes which have pushed the entire world of secure messaging forward — the Signal protocol has been implemented in popular apps like WhatsApp, Messenger, and Skype (although Skype and Messenger have encryption off by default).
But Signal does have one major weakness: phone numbers. Users have long lamented the requirement for a phone number to register, re-register, and contact people on Signal. This leaves users open to phone number-based leaks, like when Mark Zuckerberg was outed as a Signal user last year.
Signal isn’t alone here, signing up to services using a mobile number has become the norm. You know the drill — you enter your number into a form, then you receive an SMS with a code, which is adequate authentication to add you as a user to the service. Signal does it. Telegram does it. Facebook does it. Even the platform used to order a round of drinks at the local bar does it. It’s simple, easy and frictionless. But is it safe and secure?
Well, until last week not many people seemed too concerned about it. But after Twilio, a company that provides SMS-based services, including authenticating users through SMS, was hacked — there’s a need for us all to think twice about how services that use our mobile numbers for logging in and/or authentication may be vulnerable.
Twilio has over 150,000 corporate clients, and the hackers accessed data belonging to 125 of them. One of those clients was Signal — who reported last week that data from 1,900 of their users had been stolen.
Signal being Signal, they have serious security features and clever architecture to protect user data even in breaches like this — things like message history, block lists, and contact lists were safe. Phew. But other apps wouldn’t be so lucky.
In the Twilio hack, the attackers targeted 3 specific Signal users, and managed to re-register one account to a malicious device. This was the account of Lorenzo Franceschi-Bicchierai, whose account was under the control of the hackers for around 13 hours. During those 13 hours, the hackers would have been able to impersonate Lorenzo — sending and receiving messages to other users on Signal using his account. Signal does have a feature to protect against this kind of attack—registration locking—but Lorenzo wasn’t using it when the hackers came knocking — a lesson in the importance of having security- and privacy-preserving features enabled by default.
We are Signal fans. The app has helped many people feel more secure, and it’s got infinitely more security integrity than Zuck’s Whatsapp or FB Messenger. And Session — the private messaging app we’ve built — was a fork of Signal. But Session has one significant differentiator: it’s designed from the bottom-up to be metadata-less. That is, there is no requirement to tie your mobile number or any other piece of identifiable information to use the app.
The hacking will no doubt continue, and honeypots like Twilio will keep on being targeted. We need to remind people to be extra cautious when using services that ask for your mobile number or even your physical address.
We don’t want to use this moment as a “we told you so” opportunity, but we feel it’s our responsibility to remind people who require the highest level of digital privacy and security that they should be weary of using communications apps or any other digital service that requires a mobile number as part of their sign up process.