BLOG

Your source for insights from our team on secure communications and encryption,
as well as tips and tricks to get the most from using Cellcrypt

The Risks of Using Telephone Numbers as your ID for Secure Communications.


When you installed Cellcrypt, you may have noticed that we asked for your email address rather than your telephone number. There are several reasons why Cellcrypt, unlike consumer messaging apps such as WhatsApp and Signal, does not use telephone numbers from a security standpoint.


1) Becoming You only requires access to your phone.

With consumer apps such as WhatsApp, if someone gets hold of your phone, they can gain full access to your account, including your messages and contacts. Because these apps use the phone number as the User ID and simple SMS verification, if someone has your phone and knows your phone number, then on another device, they can register in the app as you.


When registering with your phone number on a new device, an SMS will be sent to your phone number; if your phone is unlocked or set to display incoming SMS messages on the lock screen, the attacker can then enter that number on their device and will have full access to the app as you and can access your message and even start messaging your contacts, as you!.


2) Using Phone Numbers makes Enterprise use challenging.

Many organizations still provide mobile devices and mobile plans, including phone numbers, to their employees.


The challenge if the UserID is the phone number is that if someone leaves the organization and their device/plan is given to another employee, from the app’s perspective, the new employee assumes the identity of the old employee. They will be a member of the same groups and have access to historical and current messages in those groups and all individual messages and contacts.


3) Mobile Contact Discovery can reveal sensitive data,

By installing consumer apps such as WhatsApp or Telegram, users can immediately communicate with existing contacts stored on their phones using their phone number and a process called Mobile Contact Discovery.


When a user clicks the button to permit these apps to access the on-device address book, the apps will regularly upload the user's contacts to the app providers

servers.


For an example of this in action, pick one of your contacts (I've chosen Bill) and type the following into a WhatsApp message bar: "Bill's number is." The app will retrieve Bill's number from your contacts and offer it as a predictive text option. Utilizing this access, the researchers have shown how, with relatively few resources, crawling attacks can collect sensitive data on a massive scale.


Even Signal, which does not transfer the phone's full address book but instead uses short cryptographic hash values of phone numbers, is easy to overcome. The low entropy of phone numbers means attackers can use new and optimized attack strategies to deduce phone numbers from those cryptographic hashes within milliseconds. This is exacerbated by the fact that these consumer apps place almost no restrictions on signing up. As a result, bad actors can create as many accounts as they need to crawl a platform's user database by requesting data for random phone numbers and creating an increasingly detailed picture.


A study by the Technical University of Darmstadt and the University of Würzburg saw the researchers querying 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. This allowed them to access commonly stored personal meta-data, including profile pictures, nicknames, status texts, and the "last online" time. Matching this data over time against public data sources and social networks makes it possible to build detailed profiles that would be of great interest to bad actors.


In Telegram's case, this discovery service exposed sensitive information about individuals who were not registered with the app. This means that individuals who may never have used Telegram, let alone given permission for their phone number to be used, are being exploited by the system.


Finally, the contacts in your phone may be very different from those people that you need to contact securely. Separation of your secure contacts and your standard phone contacts should also be a key consideration when selecting a secure communications solution.

45 views

Recent Posts

See All