Signal users location can be tracked by call
David Wells from Tenable discovered a vulnerability (CVE-2020-5753) in a secure Signal messenger that could allow an attacker to track a user's location.
To track the user's movement, it’s enough for the criminal to simply make a call in the Signal messenger. Wells said that if two Signal users add each other in contacts, they can determine each other's location and IP address by simply ringing, even if the user does not answer the call. However, even if the caller is not in the contact list, he can still determine the approximate location of the user simply by calling in the messenger.
“The essence of the problem is that users are helpless in front of such a method,” the specialist noted.
Signal uses its own fork of WebRTC to make calls. As a protective measure, the application does not send a public / private IP address if the user receives a call from a subscriber who is not in the contact list. In addition, if desired, the user can hide the public / private IP address by selecting the appropriate option. Instead of the user's IP address, Signal will send the IP addresses of the nearest Signal TURN server.
The whole process takes place before the user answers the call and, as Wells found out, it is possible to use this in order to find out some information about the caller, even if he has hidden his IP address. The issue affects Signal versions 4.59.0 and later for Android and Signal version 18.104.22.168 for iOS.
Signal developers have already released vulnerability fixes and updated versions of the messenger are available in the Google Play Store and Apple App Store.
WebRTC (Web Real Time Communications) is an open source project designed to organize the transfer of streaming data between browsers or other applications supporting it using point-to-point technology.