Tag: Signal

  • Weak Security in WhatsApp and Signal Lets Attackers Track Users

    Weak Security in WhatsApp and Signal Lets Attackers Track Users

    Key Takeaways

    1. A security flaw in end-to-end encrypted messaging apps, particularly WhatsApp and Signal, has been discovered by scientists at the University of Vienna.
    2. The flaw allows tracking of devices through Round-Trip Time (RTT) data using silent delivery receipts from messages.
    3. A new tool on GitHub exploits this vulnerability to encourage WhatsApp to address the security issue and improve user privacy.
    4. Accumulated RTT data can reveal user habits, device activity, and network types, potentially compromising privacy.
    5. Current protections against this tracking are limited, with no alerts for users, no blocking options, and the only drastic measure being to uninstall affected messaging apps.

    A team of scientists from the University of Vienna has discovered a small yet significant security flaw in end-to-end encrypted (E2EE) messaging applications. Their research, which came out on November 17, 2024, is titled “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers.” It emphasizes how devices can be tracked using Round-Trip Time (RTT) data when applications like WhatsApp or Signal are used.

    New Tool on GitHub

    Recently, a new program has been made available on GitHub that can take advantage of this vulnerability in WhatsApp. Although the existence of such a tool raises ethical questions, its main aim is to encourage WhatsApp to fix the security issue and enhance user privacy.

    The concept behind this tool is quite straightforward. The tracker dispatches reaction messages to fake message IDs. The target device still sends back a delivery receipt. This response, which the user cannot see, discloses the time needed to send and receive the altered request—the RTT.

    Implications of RTT Data

    Even though these data points do not immediately pinpoint a user’s location, they can be quite useful when accumulated over time. Patterns in the RTT data can show when a device is being actively used or is in standby. It may also reveal the type of network connection, whether it’s Wi-Fi or cellular. By examining these usage patterns over several hours or days, attackers could infer user habits. Moreover, the continuous requests drain the battery and mobile data of the targeted smartphone.

    At present, users have very few ways to protect themselves against this tracking technique. There are no alerts on smartphones notifying users of such surveillance. The attacker’s phone number is not available, making it impossible to block them. Neither Signal nor WhatsApp currently provide an option to turn off delivery receipts. A drastic measure is the only choice available right now: uninstalling all affected end-to-end encrypted messaging apps from your device.

    Device Activity Tracker on GitHub

    The Device Activity Tracker by gommzystudio is now on GitHub. The research “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers” is available via Arxiv.

    Source:
    Link

     

    Tags: , ,
  • Signal Launches Free and Paid Secure Backup Options

    Signal Launches Free and Paid Secure Backup Options

    Key Takeaways

    1. Signal has launched new free and paid plans for backing up messages and media, currently available only on the Android beta version.
    2. The free backup option lasts for 45 days, while a $1.99 subscription allows backups of up to 100GB.
    3. The subscription fee helps cover the costs of data storage and transfer, as Signal does not sell user data.
    4. A unique 64-bit recovery key is created for each user, and losing this key means Signal cannot assist with message recovery.
    5. Future enhancements are planned, including secure backup options and cross-platform message transfer features.

    Open-source messaging platform Signal has rolled out new free and paid plans for safely backing up messages and media. This feature is optional and you must download the newest beta version on Android to access it.

    Limited Release for Testing

    According to Signal, restricting the launch to Android lets them “test this feature in a limited setting, before it expands to iOS and Desktop shortly.”

    The free option permits users to back up all text messages and media for a period of up to 45 days. If users wish to increase this limit, they can opt for a $1.99 subscription that allows full media backups of up to 100GB.

    Cost of Data Storage

    Signal explained that “storing and transfering large amounts of data is costly.” As the company does not gather or sell user data, the $1.99 subscription helps them manage these expenses.

    The secure backup functionality adheres to the same “zero-knowledge” principle that the company embraces. This means that all backup archives “are stored without a direct link to a specific backup payment or Signal user account.”

    Recovery Key and User Responsibility

    Signal creates a 64-bit recovery key on your device that isn’t shared with their servers and is the sole means to “restore access to your messages.” If you lose this key, the company cannot assist you in recovering it.

    To use the new feature, you must download the latest beta version of the app from the Play Store. You will find the option to activate it in the Signal settings menu. Currently, this feature is exclusive to beta versions of the app on Android, but it will be available on all platforms soon.

    Future Enhancements

    The technology being utilized for the “initial version of secure backups will also provide the groundwork for more secure backup alternatives in the near future.”

    Signal also hinted at adding more comprehensive options soon, such as the ability to save “a secure backup archive to a location of your choice, along with features that facilitate transferring your encrypted message history across Android, iOS, and Desktop devices.”

    Source:
    Link

     

    Tags: ,
  • GNCA Tip Line: Microsoft Recall Bypass & Battery Safety Tips

    GNCA Tip Line: Microsoft Recall Bypass & Battery Safety Tips

    Key Takeaways

    1. Baseus is recalling 55,380 portable battery chargers due to safety issues, including battery swelling and fires.
    2. The Internet Archive faces a lawsuit from major music companies over its digitization project, claiming it’s a threat to fair use and historical access.
    3. The U.S. PIRG Education Fund launched the “Electronic Waste Graveyard” database, highlighting over 100 discontinued tech products contributing to e-waste.
    4. Signal’s new desktop update disables Microsoft’s Recall feature by default, addressing privacy and security concerns for users.
    5. Washington state passed bill HB 1483 to improve consumer access to repair information and tools, marking progress in right to repair legislation across the U.S.

    Shenzhen-based electronics company Baseus is pulling back around 55,380 of its 30,000 mAh 65-watt portable battery chargers. The U.S. Consumer Product Safety Commission has reported 76 issues linked to these devices, with 72 cases of battery swelling and four fires—three of which caused damage to property. The affected models have the identification number BS-30KP365 and serial numbers that end with 0–9 or the letter D. Customers can obtain a replacement by providing proof of purchase and photographs of the serial number. This isn’t the first time Baseus faced such problems; in 2024, it recalled 132,000 wireless chargers due to similar fire hazards.

    Legal Challenges for the Internet Archive

    The Internet Archive, well-known for its Wayback Machine and efforts in preserving public records, is currently facing another lawsuit. A group that includes Universal Music Group, Sony Music Entertainment, and Capitol Records is taking action against the non-profit due to its “Great 78 Project,” which digitizes 78 RPM records from the early 20th century. The Archive has described the lawsuit as a significant threat, defending that the project is fair use and provides crucial access to historical materials. This platform is essential for journalists, educators, and engineers. More than 850 musicians and close to 90,000 people who signed a petition are urging for the lawsuit to be dismissed.

    New Database for Electronic Waste

    The U.S. PIRG Education Fund has rolled out an interactive database called “Electronic Waste Graveyard,” which lists over 100 tech products that are no longer in production. This includes PCs, smartphones, wearable tech, and car accessories that have been left behind because of software expiration or the end of cloud services. One notable example is Amazon’s Halo Rise sleep tracker, which was discontinued less than a year after it was launched. According to PIRG, more than 130 million pounds of electronic waste have arisen from such product discontinuations since 2014, with an estimated 1.66 billion pounds expected from Windows 10 PCs after support ends in October 2025.

    Signal Blocks Recall Feature

    The encrypted messaging app Signal has released an update for its desktop application that disables Microsoft’s Recall feature by default. Recall, which is only available on Copilot+ PCs equipped with NPUs, saves continuous screenshots of users’ activities to facilitate AI-driven data retrieval. Critics argue that this feature, although local, creates significant privacy and security risks. Signal’s developers have added a screen security feature that stops Windows 11 from recording chat windows, highlighting Microsoft’s inadequate protection measures as their reason.

    Fortnite Returns to the iOS App Store

    After a prolonged legal dispute regarding in-app purchase limitations, Fortnite is now back on the iOS App Store. The legal issues began in 2020 when Epic Games bypassed Apple’s payment system, leading to its removal from the platform. Courts later decided that Apple must permit developers to inform users of alternative payment methods. Epic’s CEO Tim Sweeney views this reinstatement as a win for fairness on platforms, though he acknowledges that further progress is needed on a global scale.

    New Repair Access Legislation in Washington

    Washington state has enacted bill HB 1483, which broadens consumer access to repair information, tools, and parts. Certain exclusions apply to video game consoles, motor vehicles, medical devices, and low Earth orbit broadband equipment manufactured before 2044. This law will come into effect in 2026. Advocacy organizations like iFixit have welcomed the new law, noting that Apple has decided to add iPads to its self-repair program as a result. Now, all 50 states have presented some type of right to repair legislation.

    The first episode of GNCA’s Tipline highlights ongoing trends across various industries—like early product obsolescence, the decline of digital ownership, or regulatory loopholes that big corporations take advantage of. More episodes are on the way. This sort of reporting is what many people need—something that cuts through corporate noise and illustrates how everyday technology problems link to real-world impacts. It’s a means to feel less helpless and more informed, especially in times when it seems like large companies hold all the power.

    Source:
    Link

    Tags: , ,