Security researchers have found that user error can be responsible for compromising the exchanges of encrypted communications apps.
A little background might be helpful. Secure communication apps like RedPhone and Signal, the latter of which was released for Android in November, often display to correspondents who wish to call or text one another a checksum, or a short authentication string of words.
If the checksum is identical on both users' phones or computer screens, they know that their conversation is secure and that it has not been breached by an uninvited guest.
To test the security of the checksum mechanism, researchers at the University of Alabama set up a test that mimicked a crypto phone. The study used the WebRTC platform and required that each participant make a call to the researchers' interactive voice response (IVR) server via a browser. They were then presented with several challenges that involved matching checksums and authenticating users' voices.
The team's findings were presented at the Annual Computer Security Applications Conference 2015 earlier this month.
The study, which was led by Maliheh Shirvanian, observed that participants overall failed to detect a compromised session over 50% of the time and failed to accept a legitimate session a quarter of the time, according to a report in The MIT Technology Review.
Additional findings include the following:
- Nearly a third (30 percent) of the time, participants accepted an incorrect two-word checksum if it was spoken by a voice they confirm they had heard previously.
- Two-word checksums that were spoken correctly were rejected about 22% of the time.
- Four-word checksums resulted in greater insecurity than did two-word checksums. 40 percent of the time, incorrect instances of the former were accepted, whereas correct four-word checksums were rejected a quarter of the time.
This latter observation could be explained by the fact that checksums are random strings and are not logical sequences of words, notes Gizmodo's Jamie Condliffe. This could in theory lead some users to tune out certain words, especially if they recognized who spoke the checksum.
This study brings to mind Carl von Clausewitz, who wrote in his masterful strategic guide On War about the dangers of the "fog of war", or the uncertainties that creep up into every element of a grand strategy.
Security personnel, as the University of Alabama's study clearly points out, have to grapple with their own "fog of war" on a daily basis. No matter what protective mechanisms they might build into an app, users can make a mistake that could potentially nullify all of those safeguards.
We as security folk therefore find ourselves players in a delicate balancing act where users must be protected not only from malicious actors but also from themselves. Such is the paradox of information security that makes our jobs so interesting, and admittedly at times frustrating.