NSA warning – Change your iPhone and Android messages settings

Update: republished on March 31 with a new report on the dangers of secure messaging at the workplace and a touch on WhatsApp against signal.

Secure messaging applications on your phone are dangerous. Not because their own security measures are vulnerable to attacks – although it happens, but because their security is as good as your behavior. And millions of iPhone and Android users do not only make simple errors can open your phone to attack.

It was the NSA warning knot which was now made public and was titled as a vulnerability of the signal following Trump officials inadvertently inviting a journalist to a sensitive group cat. But this is not the case. It is user vulnerability. The notification of the NSA is a warning to modify the messaging parameters. Nothing more.

ForbesGoogle Gmail upgrade – Good news for 3 billion usersBy Zak Doffman

The NSA warning last month was caused by the Google threats to the Russian GRU’s discovery of Google deceived Ukrainian officials to open access to their signal accounts, allowing Russians to listen. It was not a signal defect – the application worked as planned. And it was not limited to the signal. Google has warned “this threat also extends to other popular messaging applications such as WhatsApp and Telegram”.

The two “vulnerabilities” relate to the signal and WhatsApp features which make them easier to use. Linked devices and group links. The first allows you to synchronize and access your secure messaging applications on all your eligible devices. The second provides you with a simple way to invite new members to a group conversation by sending them a link, rather than adding them one by one to the group.

The group’s liaison threat only extends to the group itself and is easily attenuated. In Signal, deactivate the group link from group settings. In WhatsApp, you do not have this option, but do not use links for sensitive groups; You must also define sensitive groups in WhatsApp so that only administrators can add members.

The option of linked devices is much more dangerous because it can establish a fully synchronized replica of your messaging application on someone else’s device. But again, this risk is easily attenuated. In both applications, there is a menu of clear parameters entitled “Linked devices”. Go there now and read any device that you do not recognize 100% as you belong. If in doubt, delete. You can always add it later if you make a mistake. On both applications, your main phone is the basis and all other devices can be linked and unrelated to it.

There is a turn to that. In the Russian attack, the invitation link of the signal group was diverted to link a device instead, a vulnerability in the coding and the mechanics of the invitation, but not the application itself. But there is no way for someone to connect a device without being manifested in your parameters above. The regular verification of these links is essential. It is also worth periodically unlocking the “web application” links of the browser (as opposed to applications) and releases it. The other advice is not to click on group links unless they are expected and you can guarantee the sender.

The other NSA messaging advice should be common sense. Define and change your application pin regularly and activate the screen locking. Do not share contact or status information, certainly not outside your contacts. The DOD agency also recommends keeping the phone and application contacts with separate contacts, although painful for daily use.

The concept of secure messaging is largely misunderstood. End -to -end encryption is a transmission backup. The content is blurred by your device and not recruited when it reaches a recipient. Each end (telephones in a cat) is vulnerable to a compromise of this device, to user saving content or to the bad person invited to a group. None of these applications are the ball test if your other security is defective or if you make a mistake.

The NSA is not the only one to call signal as a title title when it comes to guaranteeing the commercial messaging platforms used by politicians and other officials. The American cyber-defense agency did the same as a result of the Hacks of Typhon Salted in China on American networks. “Use only encrypted end -to -end communications,” said Cisa. “Adopt a free messaging application for secure communications which guarantees end -to -end encryption, such as the signal or similar application.”

With an interesting timing, WhatsApp – the most popular secure messenger in the world, which uses the same signal encryption protocol and the signals itself – has just made it easier. IPhone users can now select WhatsApp as a default text and call application. The platform update that offers this new capacity takes place this weekend. In settings – Applications, select “Default applications” and modify the “messaging and” calls “options.

But again, this does not change the user / device vulnerability that will always leave a secure messaging in danger. “The biggest risk of listening to a signal conversation comes from the individual phones on which the application works,” explains Foreign policy. “Although it is not very clear if the American officials involved had downloaded the application on personal phones or issued by the government … Smartphones are consumption devices, not at all suitable for American government conversations.”

This is particularly acute, given that “an entire industry of spy software companies sells capacity to hack smartphones for any country willing to pay”. It was the forensic exploits that tormented iPhones and Androids this year. And so just as it is essential to apply the right messaging parameters, it is also essential to keep your phone up to date, avoid risky applications and stop click on unexpected links or attached pieces.

While Signal took most of the titles given the attack on the United States, in reality it is WhatsApp which is the much more important problem. “It’s a WhatsApp world at work now,” according to the Financial time“And it’s not always a good thing.”

As the newspaper reports, it is over time that “you could leave applications (work) to withdraw all weekend, knowing that the Pingers did not ask to ask anything more trying than the time when to meet for a coffee or if there was milk in the refrigerator. These days have disappeared.

And WhatsApp is very at the top of this list. Ironically, the only key market that was a holdout against him was the United States, where Imessage remained the dominant secure messaging platform. But even it changes now, with public meta-elebration via WhatsApp which spent 100 million American users last summer.

“At one point”, ” flight Underlines: “It no longer seemed to be doing whatsapp of his manager, then adding a thumbs up.

Ironically, Signalgate caused a sweet NAC between WhatsApp and Signal, which is the most secure application to exchange and keep secrets. “There are big differences between signal and WhatsApp,” said the signal boss Meredith Whittaker, after Whatsapp Boss Will Cathcart pointed out that the two used the same basic encryption and could therefore be seen in the same medium, despite Meta’s property.

“The signal is the gold stallion in private communications,” said Whittaker. “Whatsapp License in signal cryptography to protect the content of messages for the WhatsApp consumer”, although the same level of security does not apply to commercial communications. “Don’t get me wrong – we like WhatsApp uses our technology to raise the confidentiality bar of their application. Part of the signal mission is to define and encourage the technological ecosystem to meet, this high confidentiality bar. But these are key differences in significant confidentiality and that the public deserves to understand them. Marketing. “

ForbesGoogle Android update – You must stop installing these applicationsBy Zak Doffman

But it is WhatsApp that we have to turn to the purest irony of this whole story. A few days before The Atlantic has published his shocking revelations about his listening to inadvertently on a government’s “Eyes Only” signal group, his rival platform published on X: “As administent, let the members of the group add other people to the cat?” Just that, nothing more. It is almost as if all the fury could have been predicted. Not that the one who really added journalist Jeffrey Goldberg was or was not a director, just that the risk of these group invitations is there and requires some attention.

The essential is however very simple. Whether whatsapp or signal, both are secure and recommended for use – if used correctly. Configure them badly – one of them, or neglect the telephone updates, the parameters and the secure use, and the two will fail. You can read the full advice of the NSA here. Be careful and make sure to keep your worktops, festive plans and even your secret war plans.