Skip to main content

Vulnerability in Signal messaging app could let hackers track your location

A vulnerability in the secure messaging app Signal could let a bad actor track a user’s location, according to findings from cybersecurity firm Tenable.

Researcher David Wells found that he could track a user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity.

There are two aspects to the vulnerability, Wells said. One is that if two Signal users have each other as contacts, it’s possible for them to determine each other’s location and IP address by calling, even if the person being called doesn’t answer the phone.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact,” Wells said. “That’s kind of odd.”

It turns out that even if you don’t have a person in your contacts list, they can still roughly determine your rough location just by calling you on Signal. This works even if you don’t pick up or see the call.

“Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number,” Wells said. It turns out that’s enough for the caller to see what DNS server your phone automatically connects to. “Usually, it’ll be somewhat near you,” Wells continued. “So I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location.”

“The core of the issue is that you’re helpless,” Wells said. Simply by calling your phone, which you can’t control, a threat actor could determine your general location.”

“It’s not like clicking on a link [as in phishing],” he said. “Anyone can do this to you.”

Image used with permission by copyright holder

Signal has reportedly already released a patch for the vulnerability via Github, but as of now, it is not yet available through any app stores.

Signal declined to publicly comment when asked about the reported vulnerability, but Wells told Digital Trends that he heard the team was working on an update that would patch the problem.

Signal recently announced it would be rolling out PIN numbers for people to use instead of phone numbers, which may help plug the security hole.

The vulnerability also has limitations. The method isn’t 100% reliable; at one point, Wells called an associate in Pennsylvania as an experiment, and the associated DNS server that responded was 400 miles away in Toronto.

“It’s very coarse,” Wells admitted.

The researcher also wasn’t able to determine a person’s specific address, for example. But when a callee’s phone connected to certain servers, he was able to see clearly what city they were in and track their daily movements.

“We’re not cracking Signal’s encryption or saying don’t use Signal. The sky isn’t falling,” he said. “But for a certain subset of people, this is going to be a problem.”

Editors' Recommendations

Maya Shwayder
I'm a multimedia journalist currently based in New England. I previously worked for DW News/Deutsche Welle as an anchor and…
How to control which apps access your location on iOS and Android

Do you feel comfortable knowing that an invisible force follows you, shadowing your every move all day every day? It sees specific places you go and the duration of your stay. It follows your route around town and then your return back home. How, you ask? Through your smartphone and apps.

The idea that unknown companies can and do constantly track your whereabouts can be unnerving. But you can put a stop to it right now. You can determine what apps are collecting location information and then learn how to use your phone's built-in controls to limit sharing your life with these strangers.

Read more
Signal app tips and tricks
Messaging feature image

People are becoming increasingly concerned about online privacy -- more so than ever before. Signal, the encrypted messaging app for both mobile and desktop, is riding a wave of popularity and commandeering millions of new users, many of them exiles from WhatsApp and other messengers, cementing a newfound interest in encryption. We've already introduced you to the general concept of Signal and how to get started using it, but here we delve deeper into some of the unique ways you can augment its rich security features to ensure your communications stay private. The tips and tricks outlined below are from an LG V40 ThinQ running Android 10 and an iPhone 12 Mini running iOS 14.3.
Disable 'Contact Joined Signal' notification

Signal, by default, will show you which of your contacts are part of its ecosystem, so there's no need for a special notification when a new person joins. With so many new people jumping on Signal, there's likely to be such an abundance of notifications that you may want to switch them off. To do this, go to Settings > Notifications > Contact Joined Signal and switch it off.
Create a group video call

Read more
What is Signal? How to use the encrypted messaging app
Signal App

Encrypted messaging app Signal has been around since 2015, gaining popularity among political activists of all stripes because of its secure and private messaging system. More recently, a mass exodus from Facebook-owned WhatsApp, fueled by its demand for new terms of service and increased information sharing with its corporate parent, has boosted Signal as a major alternative for many new users. If you’re unfamiliar with the app and how it works, we break down what Signal is and how to use it.
What is Signal?

Signal Private Messenger is available for free worldwide for both iOS and Android and allows its millions of users to send texts, videos, and files, make voice and video calls, and shield your location using end-to-end encryption. It also has a desktop version for Mac, Windows, and Linux. It looks and works like any other messaging app and uses your name, phone number, and address book to look up and contact people you know. Messages are decipherable only by participants in the conversation. 

Read more