Home Signal Bypass Screen locker Terminal Server License Bypass

Signal Bypass Screen locker



By n0sign4l - Leonardo Porpora

 

Advisory ID:

n0sign4l-001

Risk level:

3 / 5

Title:

Signal IOS - Lock Screen Bypass

Credit:

Leonardo Porpora - ‘n0sign4l’

Product:

Signal

CVE:

CVE-2018-9840

Version:

2.23.1.1 and prior

Vendor notification:

04/04/2018

Vendor:

Open Whisper System

Vendor Fix:

09/04/2018

Vulnerability type:

Security Bypass

Public disclosure:

10/04/2018

Details

Signal for iOS, version 2.23.1.1 and prior, is vulnerable to screen lock bypass.

The vulnerability, triggered by some click sequence, allows anyone to bypass password and TouchID authentication protections that iOS users can set on their device in order to increase application security and confidentiality.

When I reported the vulnerability to Signal security team (version 2.23) they fixed it in a very short time, but the fix was partial; version 2.23.1.1, the one that should fix the issue, was still vulnerable to screen locker bypass but with a different click sequence. I reported the new issue to the security team and version 2.23.2 finally fixed the problem.

Users can use following steps to trigger the bug in version 2.23:

  1. Open Signal
  2. Click cancel button
  3. Click home button
  4. Open Signal again
  5. You can see Signal main screen without having been asked for the Password or TouchID

While users can use following steps to trigger the bug in versione 2.23.1.1 (the one that contains the partial fix):

  1. Open Signal
  2. Click cancel button
  3. Click home button
  4. Double click on the home button
  5. Close Signal app
  6. Open Signal App
  7. Click cancel button
  8. Click once the home button
  9. Open Signal
  10. You can see Signal main screen without having been asked for the Password or TouchID

PoC:



https://www.youtube.com/watch?v=RAhCY4eCtn0&feature=youtu.be
https://www.youtube.com/watch?v=lMtDVaPUOG0&feature=youtu.be

Solution

Update Signal to version 2.23.2

Note

A special thanks to Pawel ‘okno’ Zorzan Urban and Giovanni ‘merlos’ Mellini for the follow-up and the support given for the public disclosure.  

Break Signal Screen Locker for iOS

Introduction:

I am 17 years old and since I started dealing with informatic and cybersecurity I have been inspired by E. Snowden character, bravery and value, even when he faced hard consequences for his actions. To me he is a really special person and I consider him like a brother.

Defending human rights - and privacy in particularly - is a must in a democratic society and for this reason, in my opinion, everybody should use Signal messaging application for their communications.

The importance of Data Protection

Whether private conversations are personal, professional, or political, what is said or typed may be of interest to snooping governments. Criminals might be interested as well, especially when a password or credit card number is sent.

Unfortunately, most ways that people communicate with their phones — voice calls, SMS messages, email, Facebook, Skype, Hangouts, etc. — are not as private as one may think. The phone companies, ISPs, and the corporations that make the apps used to communicate can spy what is transmitted. Chats can be accessed by police, they can also be seen by anyone who can pick up someone’s telephone. Some of them can even be read by anyone in a position to simply glance at your phone’s lock screen and read the notifications displayed there. (https://theintercept.com/2017/05/01/cybersecurity-for-the-people-how-to-keep-your-chats-truly-private-with-signal/)

It’s possible to make sure that private conversations are actually private, for example using an app known as Signal.

The Signal app is easy to use, works on both Apple’s mobile operating system iOS, Google’s Android and desktop browsers, and encrypts communications so that only the sender and the receiver can decipher them. It also has open source code, so security experts can verify its claims.

From data protection point of view Signal is safer than other Instant Messengers applications (eg. WhatsApp) which, even using end-to-end data encryption like Signal, retain very important metadata which could hand over to governments in response to a request.

Moreover many IM encourage to share phone’s contact list with the app to help the service to connect with other users quickly and easily.

Finally online backups are a gaping hole in the security of WhatsApp messages. End-to-end encryption only refers to how messages are encrypted when they’re sent over the internet, not while they’re stored on the phone. Once messages are on a phone, they rely on phone’s built-in encryption to keep them safe (which is why it’s important to use a strong passcode). If someone choose to back-up his phone to the cloud — such as to his Google account if he is an Android user or iCloud account if iPhone user — is like handing the content of the messages to the backup service provider (https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/).

So it is clear that data protection during data transmission is not enough: is also important to have a device protection from unauthorized access, because the device stores the information we want to protect.

For this reason users requested to Signal developers a new feature, the ability to have a password-protected access. This was introduced in iOS version 2.23 (April 3, 2018).

I've been waiting for this feature for a long time and the first thing that came to my mind was to check if it was secure of course :).

So I started the application testing and code analyzing at same time. The day after the release, I found a method to bypass the Signal Screen Locker for iOS.

I verified that the error was reproducible and, having checked it on several devices, I had a look at the source code and found the bug that held this security problem.

When the screen was unlocked Signal app recorded date and time of the event, but even if you didn’t unlock it - returning to the home page by clicking delete / cancel as an example - this value was updated, restoring the unlock time-out and allowing unauthorized access.

How they worked to fix it:

Commit: https://github.com/signalapp/Signal-iOS/commit/018a35df7b42b4941cb4dfc9f462b37c3fafd9e9

History 2.23.2: https://github.com/signalapp/Signal-iOS/commits/release/2.23.2

Final thoughts:

I am very happy to have contributed to the security of Signal, an application that I use every day to talk with my friends, professors...

My contribution was also possible because this is an open-source project and other than just reporting the security hole I had the opportunity to analyze the source code and highlight the flaw.

This is a small example of how effective is the open-source model and I hope everyone can understand the benefits of the community contribution in data protection field so that we will more and more contribution.

Sorry I can not hear you, there's interference

n0sign4l :)

Contact: n0sign4l (a) firewake org  

Quote of the day: Hack The Planet