Users their own worst enemy when it comes to encrypted messaging apps

David bisson
David Bisson
@
@DMBisson

Security researchers have found that user error can be responsible for compromising the exchanges of encrypted communications apps.

A little background might be helpful. Secure communication apps like RedPhone and Signal, the latter of which was released for Android in November, often display to correspondents who wish to call or text one another a checksum, or a short authentication string of words.

If the checksum is identical on both users’ phones or computer screens, they know that their conversation is secure and that it has not been breached by an uninvited guest.

Signal app

Sign up to our free newsletter.
Security news, advice, and tips.

To test the security of the checksum mechanism, researchers at the University of Alabama set up a test that mimicked a crypto phone. The study used the WebRTC platform and required that each participant make a call to the researchers’ interactive voice response (IVR) server via a browser. They were then presented with several challenges that involved matching checksums and authenticating users’ voices.

The team’s findings were presented at the Annual Computer Security Applications Conference 2015 earlier this month.

Maliheh ShirvanianThe study, which was led by Maliheh Shirvanian, observed that participants overall failed to detect a compromised session over 50% of the time and failed to accept a legitimate session a quarter of the time, according to a report in The MIT Technology Review.

Additional findings include the following:

  • Nearly a third (30 percent) of the time, participants accepted an incorrect two-word checksum if it was spoken by a voice they confirm they had heard previously.
  • Two-word checksums that were spoken correctly were rejected about 22% of the time.
  • Four-word checksums resulted in greater insecurity than did two-word checksums. 40 percent of the time, incorrect instances of the former were accepted, whereas correct four-word checksums were rejected a quarter of the time.

This latter observation could be explained by the fact that checksums are random strings and are not logical sequences of words, notes Gizmodo’s Jamie Condliffe. This could in theory lead some users to tune out certain words, especially if they recognized who spoke the checksum.

Fog of war

This study brings to mind Carl von Clausewitz, who wrote in his masterful strategic guide On War about the dangers of the “fog of war”, or the uncertainties that creep up into every element of a grand strategy.

Security personnel, as the University of Alabama’s study clearly points out, have to grapple with their own “fog of war” on a daily basis. No matter what protective mechanisms they might build into an app, users can make a mistake that could potentially nullify all of those safeguards.

We as security folk therefore find ourselves players in a delicate balancing act where users must be protected not only from malicious actors but also from themselves. Such is the paradox of information security that makes our jobs so interesting, and admittedly at times frustrating.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Users their own worst enemy when it comes to encrypted messaging apps”

  1. JohnOH

    What users want is less blame and more user friendly encryption. They arent the experts in software. Its the so called experts who don't wish to see it used full time and so make it hard for normal users like myself, who have tried it and failed to set it up. It should already be set up…….

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.