How a Third-Party SMS Service Was Used to Take Over Signal Accounts
Last week, hackers broke into the systems of Twilio, a cloud communications company that provides infrastructure to other companies to automate sending text messages to their users. By breaking into Twilio systems, hackers could have sent text messages to victims, and read their text messages as well. This potentially gave the hackers a chance to take over any victim’s accounts that were tied to their phone number on services that use Twilio.
Crucially, Twilio provides text verification services for the encrypted messaging app Signal. When a user registers their phone number with Signal, Twilio sends them an SMS containing a verification code, which they then input to Signal. On Monday, Signal, which uses Twilio for delivering text messages with verification codes, disclosed that it was one of the targets of this attack. In particular, Signal said that hackers targeted around 1,900 of its users. This means that for those users, the hackers could have registered their numbers on their own device and essentially impersonated them, or intercepted the SMS verification code that Signal uses to register users.
The good news: because of the way Signal is designed, even if a hacker registers their account with a victim’s phone number, they don’t get access to a lot of information.
“Importantly, this did not give the attacker access to any message history, profile information, or contact lists,” Signal wrote in the incident’s announcement. “Message history is stored only on your device and Signal does not keep a copy of it. Your contact lists, profile information, whom you’ve blocked, and more can only be recovered with your Signal PIN which was not (and could not be) accessed as part of this incident. However in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”
In other words, the hackers could have impersonated the victim, but wouldn’t have their contacts or messages.
“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code. The attacker no longer has this access, and the attack has been shut down by Twilio,” Signal wrote.
Among those 1,900 phone numbers “the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”
I was one of those three numbers, and also the user who reported the incident. At first, Signal only told me they were investigating the incident, and they only told me what happened on Monday, before they published a blog post about how the Twilio hack impacted Signal some users.
The hackers were able to take over my number on Signal for a period of 13 hours.
On Sunday, Aug. 7, at 2:43 a.m. ET I received a text message that said: “Your SIGNAL verification code is [REDACTED].”
Once I realized what happened, I alerted two friends who are experts in digital security, and reached out to Signal. Then I alerted VICE’s cybersecurity team. It wasn’t clear at the time what was happening.
At that point, Twilio hadn’t disclosed the breach, Signal hadn’t said anything publicly nor in private to me, so we had no idea what was going on. I asked my cellphone provider to check whether I had been SIM swapped, but there were no signs of any attack. I also went through all my important accounts to see if there was any sign of compromise there, but, again, no sign of any attack or break-in. Without the results of Signal’s investigation, we had no way to really know what happened, whether I was the victim of an attack, or maybe there had been some bug in Signal.
Because I didn’t immediately have access to the device where I use Signal, I couldn’t re-register my account until 5:20 p.m. ET on the same day. This means that for around 13 hours, the hackers didn’t have access to my contacts or the content of any of my messages, but could have impersonated me on Signal, messaging people pretending to be me.
Once I re-registered the account I booted out the attackers and prevented them from using my account. Then, I made sure to stop them from trying this again by enabling Registration Lock, a Signal feature that requires people registering a number with Registration Lock to provide the users’ PIN. (I did not have Registration Lock enabled before this incident, which was a mistake.)
Also, because I had set up a PIN with Signal, the hackers did not have access to my contacts.
We are discussing that I was a victim of this attack to be transparent, and to alert anyone who may have chatted with me in those 13 hours that they were not talking to me, but hackers impersonating me. So if you did talk to me in those 13 hours, please reach out, I’d like to know who the hackers talked to, and what they talked about with them.
My incident is an important reminder that you turn on Signal’s Registration Lock feature, which prevents hackers from registering your number on their device without having your Signal PIN.
Incidents like the Twilio hack are also an important reminder that services that rely on text messages for verification are vulnerable. And that it’s important to enable every security feature possible.
“What I find frightening goes beyond the implications for Signal. any platform or service can be manipulated to hand over verification credentials to an attacker,” Harlo Holmes, the director of digital security at the Freedom of the Press Foundation, told Motherboard. “And despite the protections various services put in place to protect our accounts once we’ve been verified, it is at this point when these accounts are the most vulnerable to takeover.”
Signal is going to alert those 1,900 users targeted by hackers, and force them to re-register their accounts.
If you received an SMS message from Signal with a link to this support article, please follow these steps:
1) Open Signal on your phone and register your Signal account again if the app prompts you to do so.
2) To best protect your account, we strongly recommend that you enable registration lock in the app’s Settings. We created this feature to protect users against threats like the Twilio attack
A Twilio spokesperson sent the following statement when Motherboard asked the company for a comment: "Twilio generally does not comment on specific customer situations. However, with respect to the matter disclosed by Signal, we are aware of it and take any potential incident involving the protection of our customers’ information seriously. We have been in close contact with Signal and are working together with them to aid their investigation. We continue to investigate the matter and gather more information, and are keeping customers updated here.”