BSides London 2025

BSides London 2025

login

Signal Boost: Looking under the hood of Signal
.ical
2025-12-13 , Clappy Monkey Track

This talk is a walkthrough of a security review to Signal, one of the most widely used E2EE messaging applications. Instead of focusing purely on cryptography, this review examines how Signal’s implementation.

We’ll begin with Signal’s 1:1 messaging system, covering Double Ratchet, Sealed Sender, and encrypted profile data. This section highlights a zero-click vulnerability in device synchronization that allowed attackers to silently edit, delete, or inject messages.

We’ll then turn to Signal’s groups, with emphasis on zero-knowledge membership validation and authorization. Here, I’ll present a vulnerability that enabled privilege escalation, and unauthorized rejoining of groups, effectively breaking group authorization.

The talk concludes with lessons learned from this review and a call to action for researchers to engage with Signal’s open-source ecosystem to further strengthen its security.

Outline

Pre-Intro

This talk is from the perspective of an application security engineer analyzing Signal’s code, not as a cryptographer, but with a focus on real-world security gaps.

Intro

Overview of Signal’s architecture and client-server model, and how it fits within the broader E2EE messaging landscape. Emphasis on implementation choices that strengthen privacy and reduce attack surfaces.

1:1 Messages

  • Breakdown of Double Ratchet, Sealed Sender, and encrypted profiles (username, bio, image).
  • Privacy properties: sender anonymity, message authentication, and authorization.
  • Device synchronization challenges.
  • Vulnerability: zero-click bug in Android sync allowed attackers to silently edit, delete, or inject messages.

Group Messages Protocol

  • Deep dive into Signal’s group protocol.
  • Cryptographic innovations: zero-knowledge proofs for membership validation and group authorization.
  • Protections: encrypted membership lists, group metadata, and messages.

Vulnerability

  • Privilege escalation in Signal groups.
  • Impact: non-admins could escalate privileges, banned users could unban themselves, removed users could rejoin and post messages.
  • Technical details, demo, and fix.

Conclusion

Broader challenges in building secure E2EE apps. Encouragement for researchers to contribute to Signal’s open-source ecosystem.

Q/A

The speaker’s profile picture
storm

Ibrahim is a security engineer focused on the security and privacy of end-to-end encrypted (E2EE) messaging applications, including WhatsApp, Telegram, and Signal. His research explores vulnerabilities in these systems, from zero-click attacks to metadata leaks with the goal of strengthening the guarantees they provide to billions of users worldwide.

In addition, Ibrahim has over a decade of experience advancing program analysis and static analysis techniques to detect and prevent vulnerabilities at scale. He has contributed to securing massive codebases in languages such as PHP, Python, and Java, building tools that help developers and security teams identify and remediate issues more effectively.